web reverse proxy stanza reference - ibm · ibm securityweb gatewayappliance version 7.0 web...
TRANSCRIPT
IBM Security Web Gateway ApplianceVersion 7.0
Web Reverse Proxy Stanza Reference
SC27-4443-00
���
IBM Security Web Gateway ApplianceVersion 7.0
Web Reverse Proxy Stanza Reference
SC27-4443-00
���
NoteBefore using this information and the product it supports, read the information in “Notices” on page 325.
Edition notice
Note: This edition applies to version 7, release 0, modification 0 of IBM Security Access Manager (productnumber 5724-C87) and to all subsequent releases and modifications until otherwise indicated in new editions.
© Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.
Contents
About this publication . . . . . . . . ixIntended audience . . . . . . . . . . . . ixAccess to publications and terminology . . . . . ix
Related publications . . . . . . . . . . xiiAccessibility . . . . . . . . . . . . . . xivTechnical training . . . . . . . . . . . . xivSupport information . . . . . . . . . . . xiv
Stanza reference . . . . . . . . . . . 1[acnt-mgt] stanza . . . . . . . . . . . . . 1
account-expiry-notification. . . . . . . . . 1account-inactivated . . . . . . . . . . . 1account-locked. . . . . . . . . . . . . 2allow-unauthenticated-logout . . . . . . . . 3allowed-referers . . . . . . . . . . . . 3cert-failure . . . . . . . . . . . . . . 4cert-stepup-http . . . . . . . . . . . . 5certificate-login . . . . . . . . . . . . 5change-password-auth . . . . . . . . . . 6client-notify-tod . . . . . . . . . . . . 6enable-html-redirect . . . . . . . . . . . 7enable-local-response-redirect . . . . . . . . 7enable-passwd-warn . . . . . . . . . . . 8enable-secret-token-validation. . . . . . . . 9help . . . . . . . . . . . . . . . . 10http-rsp-header . . . . . . . . . . . . 10html-redirect . . . . . . . . . . . . . 11login. . . . . . . . . . . . . . . . 11login-redirect-page . . . . . . . . . . . 12login-success . . . . . . . . . . . . . 13logout . . . . . . . . . . . . . . . 13passwd-change . . . . . . . . . . . . 14passwd-change-failure . . . . . . . . . . 14passwd-change-success . . . . . . . . . 15passwd-expired . . . . . . . . . . . . 15passwd-warn . . . . . . . . . . . . . 16passwd-warn-failure . . . . . . . . . . 16redirect-to-root-for-pkms . . . . . . . . . 17single-signoff-uri . . . . . . . . . . . 17stepup-login . . . . . . . . . . . . . 18switch-user . . . . . . . . . . . . . 19temp-cache-response . . . . . . . . . . 19too-many-sessions . . . . . . . . . . . 20use-restrictive-logout-filenames . . . . . . . 20use-filename-for-pkmslogout . . . . . . . 21
[auth-cookies] stanza . . . . . . . . . . . 21cookie . . . . . . . . . . . . . . . 21
[authentication-levels] stanza . . . . . . . . 22level . . . . . . . . . . . . . . . . 22
[aznapi-configuration] stanza . . . . . . . . 23audit-attribute . . . . . . . . . . . . 23auditcfg . . . . . . . . . . . . . . 23auditlog . . . . . . . . . . . . . . 24cache-refresh-interval . . . . . . . . . . 25cred-attribute-entitlement-services . . . . . . 25
dynamic-adi-entitlement-services . . . . . . 26input-adi-xml-prolog . . . . . . . . . . 26listen-flags. . . . . . . . . . . . . . 27logaudit . . . . . . . . . . . . . . 27logclientid . . . . . . . . . . . . . . 28logcfg . . . . . . . . . . . . . . . 28logflush . . . . . . . . . . . . . . 29logsize . . . . . . . . . . . . . . . 30permission-info-returned . . . . . . . . . 30policy-attr-separator . . . . . . . . . . 31policy-cache-size. . . . . . . . . . . . 31resource-manager-provided-adi . . . . . . . 32xsl-stylesheet-prolog . . . . . . . . . . 33
[azn-decision-info] stanza. . . . . . . . . . 33azn-decision-info . . . . . . . . . . . . 33
[ba] stanza. . . . . . . . . . . . . . . 34ba-auth . . . . . . . . . . . . . . . 34basic-auth-realm . . . . . . . . . . . . 35
[cdsso] stanza . . . . . . . . . . . . . 35authtoken-lifetime . . . . . . . . . . . 35cdsso-argument . . . . . . . . . . . . 36cdsso-auth . . . . . . . . . . . . . . 36cdsso-create . . . . . . . . . . . . . 37clean-cdsso-urls . . . . . . . . . . . . 37propagate-cdmf-errors . . . . . . . . . . 38use-utf8 . . . . . . . . . . . . . . 38
[cdsso-incoming-attributes] stanza . . . . . . . 39attribute_pattern . . . . . . . . . . . . 39
[cdsso-peers] stanza . . . . . . . . . . . 40fully_qualified_hostname. . . . . . . . . . 40
[cdsso-token-attributes] stanza . . . . . . . . 40<default> . . . . . . . . . . . . . . 40domain_name . . . . . . . . . . . . . 41
[certificate] stanza . . . . . . . . . . . . 42accept-client-certs . . . . . . . . . . . 42cert-cache-max-entries . . . . . . . . . . 42cert-cache-timeout . . . . . . . . . . . 43cert-prompt-max-tries . . . . . . . . . . 43disable-cert-login-page. . . . . . . . . . 44eai-data. . . . . . . . . . . . . . . 45eai-uri . . . . . . . . . . . . . . . 46
[cert-map-authn] stanza . . . . . . . . . . 47debug-level . . . . . . . . . . . . . 47rules-file . . . . . . . . . . . . . . 47
[cfg-db-cmd:entries] stanza . . . . . . . . . 48stanza::entry . . . . . . . . . . . . . 48
[cfg-db-cmd:files] stanza . . . . . . . . . . 49files . . . . . . . . . . . . . . . . 49
[cluster] stanza . . . . . . . . . . . . . 49is-master . . . . . . . . . . . . . . 50master-name . . . . . . . . . . . . . 50max-wait-time . . . . . . . . . . . . 51
[compress-mime-types] stanza . . . . . . . . 51mime_type . . . . . . . . . . . . . . 51
[compress-user-agents] stanza . . . . . . . . 52pattern . . . . . . . . . . . . . . . 52
© Copyright IBM Corp. 2002, 2012 iii
[content] stanza . . . . . . . . . . . . . 53utf8-template-macros-enabled . . . . . . . 53
[content-cache] stanza . . . . . . . . . . . 53MIME_type . . . . . . . . . . . . . 53
[content-encodings] stanza . . . . . . . . . 54extension . . . . . . . . . . . . . . 54
[content-index-icons] stanza . . . . . . . . . 55type . . . . . . . . . . . . . . . . 55
[credential-policy-attributes] stanza . . . . . . 56policy-name. . . . . . . . . . . . . . 56
[credential-refresh-attributes] stanza . . . . . . 57attribute_name_pattern . . . . . . . . . . 57authentication_level . . . . . . . . . . 57
[dsess] stanza. . . . . . . . . . . . . . 58dsess-sess-id-pool-size . . . . . . . . . . 58dsess-cluster-name . . . . . . . . . . . 58
[dsess-cluster] stanza . . . . . . . . . . . 59basic-auth-user . . . . . . . . . . . . 59basic-auth-passwd . . . . . . . . . . . 59gsk-attr-name. . . . . . . . . . . . . 60handle-idle-timeout. . . . . . . . . . . 61handle-pool-size . . . . . . . . . . . . 61response-by . . . . . . . . . . . . . 62server . . . . . . . . . . . . . . . 62ssl-fips-enabled . . . . . . . . . . . . 63ssl-keyfile . . . . . . . . . . . . . . 64ssl-keyfile-label . . . . . . . . . . . . 64ssl-keyfile-stash . . . . . . . . . . . . 65ssl-valid-server-dn . . . . . . . . . . . 65timeout . . . . . . . . . . . . . . . 66
[eai] stanza . . . . . . . . . . . . . . 66eai-auth . . . . . . . . . . . . . . 66eai-auth-level-header . . . . . . . . . . 67eai-flags-header . . . . . . . . . . . . 67eai-pac-header . . . . . . . . . . . . 68eai-pac-svc-header . . . . . . . . . . . 68eai-redir-url-header . . . . . . . . . . . 69eai-session-id-header . . . . . . . . . . 69eai-user-id-header . . . . . . . . . . . 70eai-verify-user-identity. . . . . . . . . . 70eai-xattrs-header . . . . . . . . . . . . 71retain-eai-session . . . . . . . . . . . 72
[eai-trigger-urls] stanza . . . . . . . . . . 72trigger . . . . . . . . . . . . . . . 72trigger . . . . . . . . . . . . . . . 73
[e-community-domains] stanza . . . . . . . . 74name . . . . . . . . . . . . . . . 74
[e-community-domain-keys] stanza . . . . . . 74domain_name . . . . . . . . . . . . . 74
[e-community-domain-keys:domain] stanza . . . . 75domain_name . . . . . . . . . . . . . 75
[e-community-sso] stanza. . . . . . . . . . 75cache-requests-for-ecsso . . . . . . . . . 75e-community-name . . . . . . . . . . . 76disable-ec-cookie . . . . . . . . . . . 76e-community-sso-auth . . . . . . . . . . 77ec-cookie-domain . . . . . . . . . . . 77ec-cookie-lifetime . . . . . . . . . . . 78ecsso-allow-unauth . . . . . . . . . . . 78ecsso-propagate-errors . . . . . . . . . . 79handle-auth-failure-at-mas . . . . . . . . 79
is-master-authn-server . . . . . . . . . . 80master-authn-server . . . . . . . . . . 80master-http-port . . . . . . . . . . . . 81master-https-port . . . . . . . . . . . 82propagate-cdmf-errors . . . . . . . . . . 82use-utf8 . . . . . . . . . . . . . . 83vf-argument . . . . . . . . . . . . . 83vf-token-lifetime . . . . . . . . . . . . 84vf-url . . . . . . . . . . . . . . . 84
[ecsso-incoming-attributes] stanza . . . . . . . 85attribute_pattern . . . . . . . . . . . . 85
[ecsso-token-attributes] stanza . . . . . . . . 86<default> . . . . . . . . . . . . . . 86domain_name . . . . . . . . . . . . . 86
[enable-redirects] stanza . . . . . . . . . . 87redirect . . . . . . . . . . . . . . . 87
[failover] stanza . . . . . . . . . . . . . 87clean-ecsso-urls-for-failover . . . . . . . . 87enable-failover-cookie-for-domain . . . . . . 88failover-auth . . . . . . . . . . . . . 89failover-cookie-lifetime . . . . . . . . . 89failover-cookies-keyfile . . . . . . . . . 90failover-include-session-id . . . . . . . . 90failover-require-activity-timestamp-validation . . 91failover-require-lifetime-timestamp-validation . . 91failover-update-cookie . . . . . . . . . . 92reissue-missing-failover-cookie . . . . . . . 92use-utf8 . . . . . . . . . . . . . . 93
[failover-add-attributes] stanza . . . . . . . . 93attribute_pattern . . . . . . . . . . . . 93session-activity-timestamp . . . . . . . . 94session-lifetime-timestamp . . . . . . . . 94
[failover-restore-attributes] stanza . . . . . . . 95attribute_pattern . . . . . . . . . . . . 95attribute_pattern . . . . . . . . . . . . 96
[filter-content-types] stanza . . . . . . . . . 96type . . . . . . . . . . . . . . . . 96
[filter-events] stanza . . . . . . . . . . . 97HTML_tag . . . . . . . . . . . . . . 97
[filter-request-headers] stanza . . . . . . . . 99header . . . . . . . . . . . . . . . 99
[filter-schemes] stanza . . . . . . . . . . 100scheme . . . . . . . . . . . . . . 100
[filter-url] stanza . . . . . . . . . . . . 101HTML_tag . . . . . . . . . . . . . 101
[flow-data] stanza . . . . . . . . . . . . 102flow-data-enabled . . . . . . . . . . . 102flow-data-stats-interval . . . . . . . . . 103
[forms] stanza . . . . . . . . . . . . . 103allow-empty-form-fields . . . . . . . . . 103forms-auth . . . . . . . . . . . . . 104
[gso-cache] stanza . . . . . . . . . . . . 105gso-cache-enabled . . . . . . . . . . . 105gso-cache-entry-idle-timeout . . . . . . . 105gso-cache-entry-lifetime . . . . . . . . . 106gso-cache-size . . . . . . . . . . . . 106
[header-names] stanza . . . . . . . . . . 107server-name . . . . . . . . . . . . . 107
[http-transformations] stanza . . . . . . . . 107resource-name . . . . . . . . . . . . 107
[ICAP:<resource>] stanza . . . . . . . . . 109
iv IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
URL . . . . . . . . . . . . . . . 109transaction . . . . . . . . . . . . . 109timeout . . . . . . . . . . . . . . 110
[illegal-url-substrings] stanza . . . . . . . . 110substring . . . . . . . . . . . . . . 110
[interfaces] stanza . . . . . . . . . . . . 111interface_name . . . . . . . . . . . . 111
[itim] stanza . . . . . . . . . . . . . . 112is-enabled . . . . . . . . . . . . . 112itim-server-name . . . . . . . . . . . 112itim-servlet-context . . . . . . . . . . 113keydatabase-file . . . . . . . . . . . 114keydatabase-password . . . . . . . . . 114keydatabase-password-file . . . . . . . . 115principal-name . . . . . . . . . . . . 116principal-password . . . . . . . . . . 116service-password-dn . . . . . . . . . . 117service-source-dn . . . . . . . . . . . 118service-token-card-dn. . . . . . . . . . 119servlet-port . . . . . . . . . . . . . 120
[jdb-cmd:replace] stanza . . . . . . . . . . 120jct-id=search-attr-value|replace-attr-value . . . . 120
[junction] stanza . . . . . . . . . . . . 121allow-backend-domain-cookies . . . . . . 121basicauth-dummy-passwd . . . . . . . . 122crl-ldap-server . . . . . . . . . . . . 122crl-ldap-server-port . . . . . . . . . . 123crl-ldap-user. . . . . . . . . . . . . 123crl-ldap-user-password . . . . . . . . . 124disable-ssl-v2 . . . . . . . . . . . . 124disable-ssl-v3 . . . . . . . . . . . . 125disable-tls-v1 . . . . . . . . . . . . 125disable-tls-v11 . . . . . . . . . . . . 126disable-tls-v12 . . . . . . . . . . . . 126dont-reprocess-jct-404s . . . . . . . . . 127dynamic-addresses . . . . . . . . . . 128http-timeout . . . . . . . . . . . . . 129https-timeout . . . . . . . . . . . . 129insert-client-real-ip-for-option-r . . . . . . 130io-buffer-size . . . . . . . . . . . . 130jct-cert-keyfile . . . . . . . . . . . . 131jct-cert-keyfile-stash . . . . . . . . . . 132jct-cert-keyfile-pwd . . . . . . . . . . 133jct-ocsp-enable . . . . . . . . . . . . 133jct-ocsp-max-response-size . . . . . . . . 134jct-ocsp-nonce-check-enable. . . . . . . . 134jct-ocsp-nonce-generation-enable . . . . . . 135jct-ocsp-proxy-server-name . . . . . . . . 135jct-ocsp-proxy-server-port . . . . . . . . 136jct-ocsp-url . . . . . . . . . . . . . 136jct-ssl-reneg-warning-rate . . . . . . . . 137jct-undetermined-revocation-cert-action. . . . 137jmt-map . . . . . . . . . . . . . . 138managed-cookies-list . . . . . . . . . . 139mangle-domain-cookies . . . . . . . . . 139match-vhj-first . . . . . . . . . . . . 140max-cached-persistent-connections . . . . . 140max-webseal-header-size . . . . . . . . 141pass-http-only-cookie-atr . . . . . . . . 142persistent-con-timeout . . . . . . . . . 142ping-method . . . . . . . . . . . . 143
ping-time. . . . . . . . . . . . . . 144ping-uri . . . . . . . . . . . . . . 144recovery-ping-time . . . . . . . . . . 145reprocess-root-jct-404s . . . . . . . . . 146reset-cookies-list . . . . . . . . . . . 146response-code-rules . . . . . . . . . . 147share-cookies . . . . . . . . . . . . 148support-virtual-host-domain-cookies. . . . . 148use-new-stateful-on-error . . . . . . . . 149validate-backend-domain-cookies . . . . . . 150worker-thread-hard-limit . . . . . . . . 150worker-thread-soft-limit . . . . . . . . . 151disable-local-junctions . . . . . . . . . 151
[junction:junction_name] stanza . . . . . . . 152[ldap] stanza . . . . . . . . . . . . . 152
auth-timeout . . . . . . . . . . . . 152auth-using-compare . . . . . . . . . . 153bind-dn . . . . . . . . . . . . . . 153bind-pwd. . . . . . . . . . . . . . 154cache-enabled . . . . . . . . . . . . 154cache-group-expire-time . . . . . . . . . 155cache-group-membership . . . . . . . . 155cache-group-size . . . . . . . . . . . 156cache-policy-expire-time . . . . . . . . . 156cache-policy-size . . . . . . . . . . . 157cache-return-registry-id . . . . . . . . . 157cache-user-expire-time . . . . . . . . . 158cache-user-size . . . . . . . . . . . . 158cache-use-user-cache . . . . . . . . . . 159default-policy-override-support . . . . . . 159enabled . . . . . . . . . . . . . . 160host . . . . . . . . . . . . . . . 161login-failures-persistent . . . . . . . . . 161max-search-size. . . . . . . . . . . . 162prefer-readwrite-server . . . . . . . . . 162port . . . . . . . . . . . . . . . 163replica. . . . . . . . . . . . . . . 163search-timeout . . . . . . . . . . . . 164ssl-enabled . . . . . . . . . . . . . 165ssl-keyfile . . . . . . . . . . . . . 165ssl-keyfile-dn . . . . . . . . . . . . 166ssl-keyfile-pwd . . . . . . . . . . . . 167ssl-port . . . . . . . . . . . . . . 167timeout . . . . . . . . . . . . . . 168user-and-group-in-same-suffix . . . . . . . 168
[local-response-macros] stanza. . . . . . . . 169macro . . . . . . . . . . . . . . . 169
[local-response-redirect] stanza . . . . . . . 170local-response-redirect-uri . . . . . . . . 170
[logging] stanza . . . . . . . . . . . . 171absolute-uri-in-request-log . . . . . . . . 171agents . . . . . . . . . . . . . . . 171audit-mime-types . . . . . . . . . . . 172audit-response-codes . . . . . . . . . . 172flush-time . . . . . . . . . . . . . 173gmt-time . . . . . . . . . . . . . . 173host-header-in-request-log . . . . . . . . 174log-invalid-requests . . . . . . . . . . 174max-size . . . . . . . . . . . . . . 175referers . . . . . . . . . . . . . . 175requests . . . . . . . . . . . . . . 176
Contents v
request-log-format . . . . . . . . . . . 176server-log-cfg . . . . . . . . . . . . 178
[ltpa] stanza . . . . . . . . . . . . . . 179ltpa-auth . . . . . . . . . . . . . . 179cookie-name. . . . . . . . . . . . . 180cookie-domain . . . . . . . . . . . . 180jct-ltpa-cookie-name . . . . . . . . . . 181keyfile . . . . . . . . . . . . . . . 182update-cookie . . . . . . . . . . . . 182use-full-dn . . . . . . . . . . . . . 183
[ltpa-cache] stanza. . . . . . . . . . . . 183ltpa-cache-enabled. . . . . . . . . . . 183ltpa-cache-entry-idle-timeout . . . . . . . 184ltpa-cache-entry-lifetime . . . . . . . . . 184ltpa-cache-size . . . . . . . . . . . . 185
[mpa] stanza . . . . . . . . . . . . . 185mpa . . . . . . . . . . . . . . . 185
[oauth-eas] stanza . . . . . . . . . . . . 186apply-tam-native-policy . . . . . . . . . 186bad-gateway-rsp-file . . . . . . . . . . 187bad-request-rsp-file . . . . . . . . . . 187cache-size . . . . . . . . . . . . . 188cluster-name. . . . . . . . . . . . . 188default-fed-id . . . . . . . . . . . . 189default-mode . . . . . . . . . . . . 189fed-id-param . . . . . . . . . . . . 190mode-param. . . . . . . . . . . . . 191realm-name . . . . . . . . . . . . . 191trace-component . . . . . . . . . . . 192unauthorized-rsp-file . . . . . . . . . . 192
[obligations-levels-mapping] stanza . . . . . . 193obligation . . . . . . . . . . . . . . 193
[p3p-header] stanza . . . . . . . . . . . 194access . . . . . . . . . . . . . . . 194categories . . . . . . . . . . . . . 195disputes . . . . . . . . . . . . . . 196non-identifiable. . . . . . . . . . . . 197p3p-element . . . . . . . . . . . . . 197purpose . . . . . . . . . . . . . . 198recipient . . . . . . . . . . . . . . 199remedies . . . . . . . . . . . . . . 200retention . . . . . . . . . . . . . . 201
[PAM] stanza . . . . . . . . . . . . . 202pam-enabled . . . . . . . . . . . . 202pam-max-memory . . . . . . . . . . . 202pam-use-proxy-header . . . . . . . . . 203pam-http-parameter . . . . . . . . . . 203pam-coalescer-parameter . . . . . . . . 204pam-log-cfg . . . . . . . . . . . . . 205pam-log-audit-events . . . . . . . . . . 206pam-disabled-issues . . . . . . . . . . 206pam-resource-rule . . . . . . . . . . . 207
[pam-resource:<URI>] stanza . . . . . . . . 208pam-issue . . . . . . . . . . . . . . 208
[preserve-cookie-names] stanza . . . . . . . 209name . . . . . . . . . . . . . . . 209
[process-root-filter] stanza . . . . . . . . . 209root . . . . . . . . . . . . . . . 209
[reauthentication] stanza. . . . . . . . . . 210reauth-at-any-level . . . . . . . . . . 210reauth-extend-lifetime . . . . . . . . . 210
reauth-for-inactive . . . . . . . . . . . 211reauth-reset-lifetime . . . . . . . . . . 211terminate-on-reauth-lockout . . . . . . . 212
[replica-sets] stanza . . . . . . . . . . . 213replica-set . . . . . . . . . . . . . 213
[rtss-eas] stanza . . . . . . . . . . . . 213apply-tam-native-policy . . . . . . . . . 213audit-log-cfg. . . . . . . . . . . . . 214cluster-name. . . . . . . . . . . . . 215context-id . . . . . . . . . . . . . 216trace-component . . . . . . . . . . . 216
[rtss-cluster:<cluster>] stanza . . . . . . . . 217basic-auth-user . . . . . . . . . . . . 217basic-auth-passwd . . . . . . . . . . . 217handle-idle-timeout . . . . . . . . . . 218handle-pool-size . . . . . . . . . . . 218server . . . . . . . . . . . . . . . 219ssl-fips-enabled . . . . . . . . . . . . 220ssl-keyfile . . . . . . . . . . . . . 220ssl-keyfile-label . . . . . . . . . . . . 221ssl-keyfile-stash. . . . . . . . . . . . 222ssl-valid-server-dn. . . . . . . . . . . 222timeout . . . . . . . . . . . . . . 223
[script-filtering] stanza . . . . . . . . . . 223hostname-junction-cookie . . . . . . . . 223rewrite-absolute-with-absolute. . . . . . . 224script-filter . . . . . . . . . . . . . 224
[server] stanza . . . . . . . . . . . . . 225allow-shift-jis-chars . . . . . . . . . . 225allow-unauth-ba-supply . . . . . . . . . 225allow-unsolicited-logins . . . . . . . . . 226auth-challenge-type . . . . . . . . . . 227cache-host-header . . . . . . . . . . . 228capitalize-content-length. . . . . . . . . 229client-connect-timeout . . . . . . . . . 229chunk-responses . . . . . . . . . . . 230concurrent-session-threads-hard-limit . . . . 230concurrent-session-threads-soft-limit . . . . . 231connection-request-limit . . . . . . . . . 231cope-with-pipelined-request . . . . . . . 232decode-query . . . . . . . . . . . . 232disable-timeout-reduction . . . . . . . . 233double-byte-encoding. . . . . . . . . . 233dynurl-allow-large-posts. . . . . . . . . 234dynurl-map . . . . . . . . . . . . . 235enable-IE6-2GB-downloads . . . . . . . . 235filter-nonhtml-as-xhtml . . . . . . . . . 236force-tag-value-prefix . . . . . . . . . . 236http . . . . . . . . . . . . . . . 237http-method-disabled-local . . . . . . . . 237http-method-disabled-remote . . . . . . . 238http-port . . . . . . . . . . . . . . 238https . . . . . . . . . . . . . . . 239https-port . . . . . . . . . . . . . 239ignore-missing-last-chunk . . . . . . . . 240intra-connection-timeout. . . . . . . . . 240io-buffer-size . . . . . . . . . . . . 241ip-support-level . . . . . . . . . . . 242ipv6-support . . . . . . . . . . . . 243late-lockout-notification . . . . . . . . . 243max-client-read . . . . . . . . . . . . 244
vi IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
max-file-cat-command-length . . . . . . . 244max-file-descriptors . . . . . . . . . . 245max-idle-persistent-connections . . . . . . 246network-interface . . . . . . . . . . . 246persistent-con-timeout . . . . . . . . . 247pre-410-compatible-tokens . . . . . . . . 247pre-510-compatible-token . . . . . . . . 248preserve-base-href . . . . . . . . . . . 248preserve-base-href2 . . . . . . . . . . 249preserve-p3p-policy . . . . . . . . . . 249process-root-requests . . . . . . . . . . 250redirect-using-relative . . . . . . . . . 250reject-invalid-host-header . . . . . . . . 251reject-request-transfer-encodings . . . . . . 252request-body-max-read . . . . . . . . . 252request-max-cache . . . . . . . . . . . 253send-header-ba-first . . . . . . . . . . 253send-header-spnego-first. . . . . . . . . 254server-name . . . . . . . . . . . . . 255slash-before-query-on-redirect . . . . . . . 255strip-www-authenticate-headers . . . . . . 256suppress-backend-server-identity . . . . . . 256suppress-dynurl-parsing-of-posts . . . . . . 257suppress-server-identity . . . . . . . . . 258tag-value-missing-attr-tag . . . . . . . . 258use-existing-username-macro-in-custom-redirects 259use-http-only-cookies . . . . . . . . . . 259utf8-form-support-enabled . . . . . . . . 260utf8-qstring-support-enabled . . . . . . . 260utf8-url-support-enabled. . . . . . . . . 261validate-query-as-ga . . . . . . . . . . 261web-host-name . . . . . . . . . . . . 262web-http-port . . . . . . . . . . . . 263web-http-protocol . . . . . . . . . . . 263worker-threads . . . . . . . . . . . . 264
[session] stanza. . . . . . . . . . . . . 264dsess-enabled . . . . . . . . . . . . 264dsess-last-access-update-interval . . . . . . 265enforce-max-sessions-policy . . . . . . . 265inactive-timeout . . . . . . . . . . . 266logout-remove-cookie. . . . . . . . . . 266max-entries . . . . . . . . . . . . . 267prompt-for-displacement . . . . . . . . 268register-authentication-failures . . . . . . . 268require-mpa . . . . . . . . . . . . . 269resend-webseal-cookies . . . . . . . . . 269send-constant-sess . . . . . . . . . . . 270shared-domain-cookie . . . . . . . . . 270ssl-id-sessions . . . . . . . . . . . . 271ssl-session-cookie-name . . . . . . . . . 271standard-junction-replica-set . . . . . . . 272tcp-session-cookie-name . . . . . . . . . 272temp-session-cookie-name . . . . . . . . 273temp-session-max-lifetime . . . . . . . . 273timeout . . . . . . . . . . . . . . 274update-session-cookie-in-login-request . . . . 275user-session-ids. . . . . . . . . . . . 275user-session-ids-include-replica-set . . . . . 276use-same-session . . . . . . . . . . . 276
[session-cookie-domains] stanza . . . . . . . 277domain . . . . . . . . . . . . . . 277
[session-http-headers] stanza . . . . . . . . 277header_name . . . . . . . . . . . . . 277
[ssl] stanza . . . . . . . . . . . . . . 278base-crypto-library . . . . . . . . . . 278crl-ldap-server . . . . . . . . . . . . 278crl-ldap-server-port . . . . . . . . . . 279crl-ldap-user. . . . . . . . . . . . . 280crl-ldap-user-password . . . . . . . . . 280disable-ssl-v2 . . . . . . . . . . . . 281disable-ssl-v3 . . . . . . . . . . . . 281disable-tls-v1 . . . . . . . . . . . . 282disable-tls-v11 . . . . . . . . . . . . 282disable-tls-v12 . . . . . . . . . . . . 283enable-duplicate-ssl-dn-not-found-msgs . . . 283fips-mode-processing . . . . . . . . . . 284gsk-attr-name . . . . . . . . . . . . 284gsk-crl-cache-entry-lifetime . . . . . . . . 286gsk-crl-cache-size . . . . . . . . . . . 286jct-gsk-attr-name . . . . . . . . . . . 287ocsp-enable . . . . . . . . . . . . . 288ocsp-max-response-size . . . . . . . . . 289ocsp-nonce-check-enable. . . . . . . . . 289ocsp-nonce-generation-enable . . . . . . . 290ocsp-proxy-server-name . . . . . . . . . 290ocsp-proxy-server-port . . . . . . . . . 291ocsp-url . . . . . . . . . . . . . . 291ssl-keyfile . . . . . . . . . . . . . 292ssl-keyfile-label . . . . . . . . . . . . 292ssl-keyfile-pwd . . . . . . . . . . . . 293ssl-keyfile-stash. . . . . . . . . . . . 293ssl-local-domain . . . . . . . . . . . 294ssl-max-entries . . . . . . . . . . . . 294ssl-v2-timeout . . . . . . . . . . . . 295ssl-v3-timeout . . . . . . . . . . . . 296suppress-client-ssl-errors . . . . . . . . 296undetermined-revocation-cert-action . . . . . 297webseal-cert-keyfile . . . . . . . . . . 297webseal-cert-keyfile-label . . . . . . . . 298webseal-cert-keyfile-pwd . . . . . . . . 298webseal-cert-keyfile-stash . . . . . . . . 299
[ssl-qop] stanza. . . . . . . . . . . . . 299ssl-qop-mgmt . . . . . . . . . . . . 299
[ssl-qop-mgmt-default] stanza . . . . . . . . 300default . . . . . . . . . . . . . . 300
[ssl-qop-mgmt-hosts] stanza . . . . . . . . 301host-ip . . . . . . . . . . . . . . . 301
[ssl-qop-mgmt-networks] stanza . . . . . . . 302network/netmask . . . . . . . . . . . . 302
[step-up] stanza . . . . . . . . . . . . 303retain-stepup-session . . . . . . . . . . 303show-all-auth-prompts . . . . . . . . . 303step-up-at-higher-level . . . . . . . . . 304verify-step-up-user . . . . . . . . . . 304
[system-environment-variables] stanza . . . . . 305env-name . . . . . . . . . . . . . . 305
[tfimsso:<jct-id>] stanza . . . . . . . . . . 306always-send-tokens . . . . . . . . . . 306applies-to. . . . . . . . . . . . . . 307one-time-token . . . . . . . . . . . . 307preserve-xml-token . . . . . . . . . . 308renewal-window . . . . . . . . . . . 308
Contents vii
service-name . . . . . . . . . . . . 309tfim-cluster-name . . . . . . . . . . . 309token-collection-size . . . . . . . . . . 310token-type . . . . . . . . . . . . . 310token-transmit-name . . . . . . . . . . 311token-transmit-type . . . . . . . . . . 311
[tfim-cluster:<cluster>] stanza . . . . . . . . 312basic-auth-user . . . . . . . . . . . . 312basic-auth-passwd . . . . . . . . . . . 312gsk-attr-name . . . . . . . . . . . . 313handle-idle-timeout . . . . . . . . . . 314handle-pool-size . . . . . . . . . . . 314server . . . . . . . . . . . . . . . 315ssl-fips-enabled . . . . . . . . . . . . 316ssl-keyfile . . . . . . . . . . . . . 316ssl-keyfile-label . . . . . . . . . . . . 317
ssl-keyfile-stash. . . . . . . . . . . . 318ssl-valid-server-dn. . . . . . . . . . . 318timeout . . . . . . . . . . . . . . 319
[uraf-registry] stanza . . . . . . . . . . . 319bind-id . . . . . . . . . . . . . . 319cache-lifetime . . . . . . . . . . . . 320cache-mode . . . . . . . . . . . . . 321cache-size . . . . . . . . . . . . . 321
[user-agent] stanza . . . . . . . . . . . 322user-agent . . . . . . . . . . . . . . 322
Notices . . . . . . . . . . . . . . 325
Index . . . . . . . . . . . . . . . 329
viii IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
About this publication
Welcome to the IBM Security Web Gateway Appliance: Web Reverse Proxy StanzaReference.
IBM Security Access Manager for Web, formerly called IBM Tivoli Access Managerfor e-business, is a user authentication, authorization, and web single sign-onsolution for enforcing security policies over a wide range of web and applicationresources.
The IBM Security Web Gateway Appliance includes Security Access Manager. Theappliance uses a Web Reverse Proxy to provide user access and authenticationmanagement for web application sessions. This guide uses the term WebSEAL toreference this proxy.
Security Access Manager WebSEAL is the resource manager for web-basedresources in a Security Access Manager secure domain. WebSEAL is a highperformance, multi-threaded web server that applies fine-grained security policy tothe protected web object space. WebSEAL can provide single signon solutions andincorporate back-end web application server resources into its security policy.
This guide provides the complete stanza reference for configuring WebSEAL. Youcan use this guide in conjunction with the IBM Security Web Gateway Appliance:Configuration Guide for Web Reverse Proxy, which provides valuable background andconcept information for the wide range of WebSEAL functionality.
Intended audienceThis guide is for system administrators responsible for configuring andmaintaining a Security Access Manager WebSEAL environment.
Readers should be familiar with the following:v PC and UNIX or Linux operating systemsv Database architecture and conceptsv Security managementv Internet protocols, including HTTP, TCP/IP, File Transfer Protocol (FTP), and
Telnetv Lightweight Directory Access Protocol (LDAP) and directory servicesv A supported user registryv WebSphere® Application Server administrationv Authentication and authorization
If you are enabling Secure Sockets Layer (SSL) communication, you also should befamiliar with SSL protocol, key exchange (public and private), digital signatures,cryptographic algorithms, and certificate authorities.
Access to publications and terminologyThis section provides:
© Copyright IBM Corp. 2002, 2012 ix
v A list of publications in the “IBM Security Access Manager for Web library.”v Links to “Online publications” on page xii.v A link to the “IBM Terminology website” on page xii.
IBM Security Access Manager for Web library
The following documents are in the IBM Security Access Manager for Web library:v IBM Security Access Manager for Web Quick Start Guide, GI11-9333-01
Provides steps that summarize major installation and configuration tasks.v IBM Security Web Gateway Appliance Quick Start Guide – Hardware Offering
Guides users through the process of connecting and completing the initialconfiguration of the WebSEAL Hardware Appliance, SC22-5434-00
v IBM Security Web Gateway Appliance Quick Start Guide – Virtual OfferingGuides users through the process of connecting and completing the initialconfiguration of the WebSEAL Virtual Appliance.
v IBM Security Access Manager for Web Installation Guide, GC23-6502-02Explains how to install and configure Security Access Manager.
v IBM Security Access Manager for Web Upgrade Guide, SC23-6503-02Provides information for users to upgrade from version 6.0, or 6.1.x to version7.0.
v IBM Security Access Manager for Web Administration Guide, SC23-6504-02Describes the concepts and procedures for using Security Access Manager.Provides instructions for performing tasks from the Web Portal Managerinterface and by using the pdadmin utility.
v IBM Security Access Manager for Web WebSEAL Administration Guide, SC23-6505-02Provides background material, administrative procedures, and referenceinformation for using WebSEAL to manage the resources of your secure Webdomain.
v IBM Security Access Manager for Web Plug-in for Web Servers Administration Guide,SC23-6507-02Provides procedures and reference information for securing your Web domainby using a Web server plug-in.
v IBM Security Access Manager for Web Shared Session Management AdministrationGuide, SC23-6509-02Provides administrative considerations and operational instructions for thesession management server.
v IBM Security Access Manager for Web Shared Session Management Deployment Guide,SC22-5431-00Provides deployment considerations for the session management server.
v IBM Security Web Gateway Appliance Administration Guide, SC22-5432-00Provides administrative procedures and technical reference information for theWebSEAL Appliance.
v IBM Security Web Gateway Appliance Configuration Guide for Web Reverse Proxy,SC22-5433-00Provides configuration procedures and technical reference information for theWebSEAL Appliance.
v IBM Security Web Gateway Appliance Web Reverse Proxy Stanza Reference,SC27-4442-00
x IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Provides a complete stanza reference for the IBM® Security Web GatewayAppliance Web Reverse Proxy.
v IBM Security Access Manager for Web WebSEAL Configuration Stanza Reference,SC27-4443-00Provides a complete stanza reference for the WebSEAL Appliance.
v IBM Global Security Kit: CapiCmd Users Guide, SC22-5459-00Provides instructions on creating key databases, public-private key pairs, andcertificate requests.
v IBM Security Access Manager for Web Auditing Guide, SC23-6511-02Provides information about configuring and managing audit events by using thenative Security Access Manager approach and the Common Auditing andReporting Service. You can also find information about installing andconfiguring the Common Auditing and Reporting Service. Use this service forgenerating and viewing operational reports.
v IBM Security Access Manager for Web Command Reference, SC23-6512-02Provides reference information about the commands, utilities, and scripts thatare provided with Security Access Manager.
v IBM Security Access Manager for Web Administration C API Developer Reference,SC23-6513-02Provides reference information about using the C language implementation ofthe administration API to enable an application to perform Security AccessManager administration tasks.
v IBM Security Access Manager for Web Administration Java Classes DeveloperReference, SC23-6514-02Provides reference information about using the Java™ language implementationof the administration API to enable an application to perform Security AccessManager administration tasks.
v IBM Security Access Manager for Web Authorization C API Developer Reference,SC23-6515-02Provides reference information about using the C language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.
v IBM Security Access Manager for Web Authorization Java Classes Developer Reference,SC23-6516-02Provides reference information about using the Java language implementation ofthe authorization API to enable an application to use Security Access Managersecurity.
v IBM Security Access Manager for Web Web Security Developer Reference,SC23-6517-02Provides programming and reference information for developing authenticationmodules.
v IBM Security Access Manager for Web Error Message Reference, GI11-8157-02Provides explanations and corrective actions for the messages and return code.
v IBM Security Access Manager for Web Troubleshooting Guide, GC27-2717-01Provides problem determination information.
v IBM Security Access Manager for Web Performance Tuning Guide, SC23-6518-02Provides performance tuning information for an environment that consists ofSecurity Access Manager with the IBM Tivoli Directory Server as the userregistry.
About this publication xi
Online publications
IBM posts product publications when the product is released and when thepublications are updated at the following locations:
IBM Security Access Manager for Web Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.isam.doc_70/welcome.html site displays the information centerwelcome page for this product.
IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications that you need.
IBM Terminology website
The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.
Related publicationsThis section lists the IBM products that are related to and included with theSecurity Access Manager solution.
Note: The following middleware products are not packaged with IBM SecurityWeb Gateway Appliance.
IBM Global Security Kit
Security Access Manager provides data encryption by using Global Security Kit(GSKit) version 8.0.x. GSKit is included on the IBM Security Access Manager for WebVersion 7.0 product image or DVD for your particular platform.
GSKit version 8 includes the command-line tool for key management,GSKCapiCmd (gsk8capicmd_64).
GSKit version 8 no longer includes the key management utility, iKeyman(gskikm.jar). iKeyman is packaged with IBM Java version 6 or later and is now apure Java application with no dependency on the native GSKit runtime. Do notmove or remove the bundled java/jre/lib/gskikm.jar library.
The IBM Developer Kit and Runtime Environment, Java Technology Edition, Version 6and 7, iKeyman User's Guide for version 8.0 is available on the Security AccessManager Information Center. You can also find this document directly at:
http://download.boulder.ibm.com/ibmdl/pub/software/dw/jdk/security/60/iKeyman.8.User.Guide.pdf
Note:
GSKit version 8 includes important changes made to the implementation ofTransport Layer Security required to remediate security issues.
The GSKit version 8 changes comply with the Internet Engineering Task Force(IETF) Request for Comments (RFC) requirements. However, it is not compatible
xii IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
with earlier versions of GSKit. Any component that communicates with SecurityAccess Manager that uses GSKit must be upgraded to use GSKit version 7.0.4.42,or 8.0.14.26 or later. Otherwise, communication problems might occur.
IBM Tivoli Directory Server
IBM Tivoli Directory Server version 6.3 FP17 (6.3.0.17-ISS-ITDS-FP0017) is includedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform.
You can find more information about Tivoli Directory Server at:
http://www.ibm.com/software/tivoli/products/directory-server/
IBM Tivoli Directory Integrator
IBM Tivoli Directory Integrator version 7.1.1 is included on the IBM Tivoli DirectoryIntegrator Identity Edition V 7.1.1 for Multiplatform product image or DVD for yourparticular platform.
You can find more information about IBM Tivoli Directory Integrator at:
http://www.ibm.com/software/tivoli/products/directory-integrator/
IBM DB2 Universal Database™
IBM DB2 Universal Database Enterprise Server Edition, version 9.7 FP4 is providedon the IBM Security Access Manager for Web Version 7.0 product image or DVD foryour particular platform. You can install DB2® with the Tivoli Directory Serversoftware, or as a stand-alone product. DB2 is required when you use TivoliDirectory Server or z/OS® LDAP servers as the user registry for Security AccessManager. For z/OS LDAP servers, you must separately purchase DB2.
You can find more information about DB2 at:
http://www.ibm.com/software/data/db2
IBM WebSphere products
The installation packages for WebSphere Application Server Network Deployment,version 8.0, and WebSphere eXtreme Scale, version 8.5.0.1, are included withSecurity Access Manager version 7.0. WebSphere eXtreme Scale is required onlywhen you use the Session Management Server (SMS) component.
WebSphere Application Server enables the support of the following applications:v Web Portal Manager interface, which administers Security Access Manager.v Web Administration Tool, which administers Tivoli Directory Server.v Common Auditing and Reporting Service, which processes and reports on audit
events.v Session Management Server, which manages shared session in a Web security
server environment.v Attribute Retrieval Service.
You can find more information about WebSphere Application Server at:
About this publication xiii
http://www.ibm.com/software/webservers/appserv/was/library/
AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.
Visit the IBM Accessibility Center for more information about IBM's commitmentto accessibility.
Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.
Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.
The IBM Security Access Manager for Web Troubleshooting Guide provides detailsabout:v What information to collect before you contact IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem
yourself.
Note: The Community and Support tab on the product information center canprovide more support resources.
xiv IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Stanza reference
This guide provides a complete stanza reference for the WebSEAL configurationfile, alphabetized by stanza name.
You can use the IBM Security Web Gateway Appliance Local ManagementInterface (LMI) to edit the WebSEAL configuration file. On the Reverse Proxymanagement page, select the appropriate WebSEAL instance and click Manage >Configuration > Edit Configuration File to open the Advanced Configuration FileEditor. You can use this editor to directly edit the WebSEAL configuration file.
For more details about the WebSEAL configuration file naming and structure, seethe IBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.For more information about administering the appliance and navigating the LMI,see the IBM Security Web Gateway Appliance: Administration Guide.
[acnt-mgt] stanza
account-expiry-notification
Syntaxaccount-expiry-notification = {yes|no}
Description
Specifies whether WebSEAL informs the user of the reason for a login failure whenthe failure is due to an invalid or expired account. When this entry is set to no, theuser receives the same error message as that which is sent when a login fails dueto invalid authentication information, such as an invalid user name or password.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
no
Exampleaccount-expiry-notification = yes
account-inactivated
Syntaxaccount-inactivated = filename
© Copyright IBM Corp. 2002, 2012 1
Description
Page displayed when nsAccountLock is true for a user (in Sun Directory Server)when they attempt to login. This page will only be displayed if they provide thecorrect password during login.
NOTE: This option has no effect unless the corresponding Security AccessManager LDAP option is enabled ([ldap] enhanced-pwd-policy=yes). This LDAPoption must be supported for the particular LDAP registry type.
Options
filenamePage displayed when nsAccountLock is true for the user who has providedthe correct password during login.
Usage
This stanza entry is required.
Default value
None.
NOTE: The value for this option in the template configuration file isacct_locked.html.
Exampleaccount-inactivated = acct_locked.html
account-locked
Syntaxaccount-locked = filename
Description
Page displayed when the user authentication fails due to a locked user account.
Options
filenamePage displayed when the user authentication fails due to a locked useraccount.
Usage
This stanza entry is required.
Default value
acct_locked.html
Exampleaccount-locked = acct_locked.html
2 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
allow-unauthenticated-logout
Syntaxallow-unauthenticated-logout = {yes|no}
Description
Determines whether unauthenticated users are able to request the pkmslogoutresource without authenticating first.
Options
yes Allow unauthenticated users to be able to request the pkmslogout resource.
no Unauthenticated users must authenticate before the pkmslogout resource isreturned.
Usage
This stanza entry is required.
Default value
no
Exampleallow-unauthenticated-logout = no
allowed-referersSyntaxallowed-referers = referer_filter
Description
For protection against cross-site request forgery (CSRF) attacks, you can configureWebSEAL to validate the HTTP Request referer header for all accountmanagement pages. WebSEAL uses the value provided for this configuration entryto determine whether the referrer host name in an incoming request is "valid".
If this entry is configured, when WebSEAL receives a request for an accountmanagement page, WebSEAL:1. Checks whether the referer header is present in the HTTP Request header.2. Validates the host name portion of that referrer against the allowed-referers
entries.
If WebSEAL finds that an incoming request does not match any of the configuredallowed-referers filters, the request fails and WebSEAL returns an error page.
Entries can contain the following wildcard characters:v * - match 0 or more characters.v ? - match any single character.v \ - Literal match of the following character.
Stanza reference 3
You can use the value %HOST% for this entry. This value is a special filter, whichindicates to WebSEAL that a referrer is "valid" if the host name portion of thereferer header matches the host header.
If there are no allowed-referers entries then WebSEAL does not complete thisvalidation.
Note: You can specify this entry multiple times to define multiple "allowed"referrer filters. WebSEAL uses all of these entries when validating the referrer.
For more information about referrer validation, search for "CSRF" in the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.
Options
referer_filterSpecifies a filter for a referrer host name that WebSEAL can accept as"valid".
Usage
This stanza entry is optional.
Default value
None.
Example
The following entry matches any referrer host name that begins with the charactersac, followed by zero or more characters, and ends with the characters me.allowed-referers = ac*me
The following entry indicates that a referrer is "valid" if the host name portion ofthe referer header matches the host header.allowed-referers = %HOST%
cert-failure
Syntaxcert-failure = filename
Description
Page displayed when certificates are required and a client fails to authenticate witha certificate.
Options
filenamePage displayed when certificates are required and a client fails toauthenticate with a certificate.
Usage
This stanza entry is required.
4 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
certfailure.html
Examplecert-failure = certfailure.html
cert-stepup-http
Syntaxcert-stepup-http = filename
Description
WebSEAL displays this HTML page when a client attempts to increaseauthentication strength level (step-up) to certificates while using HTTP protocol.
Options
filenameWebSEAL displays this HTML page when a client attempts to increaseauthentication strength level (step-up) to certificates while using HTTPprotocol.
Usage
This stanza entry is required.
Default value
certstepuphttp.html
Examplecert-stepup-http = certstepuphttp.html
certificate-login
Syntaxcertificate-login = filename
Description
Form requesting client-side certificate authentication login.
This form is used only when the accept-client-certs key in the [certificate] stanza isset to prompt_as_needed.
Options
filenameForm requesting client-side certificate authentication login.
Usage
This stanza entry is required when delayed certificate authentication orauthentication strength level (step-up) for certificates is enabled.
Stanza reference 5
Default value
certlogin.html
Examplecertificate-login = certlogin.html
change-password-auth
Syntaxchange-password-auth = {yes|no}
Description
Enable this option to allow users to authenticate when changing a password.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
no
Examplechange-password-auth = yes
client-notify-tod
Syntaxclient-notify-tod = {yes|no}
Description
Enable the display of an error page when authorization is denied due to a POPtime of day check. The error page is 38cf08cc.html.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
no
6 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleclient-notify-tod = yes
enable-html-redirect
Syntaxenable-html-redirect = {yes|no}
Description
Configures WebSEAL to use the HTML redirect page to handle redirections ratherthan returning an HTTP 302 response redirect.
When a user successfully authenticates, WebSEAL typically uses an HTTP 302response to redirect the user back to the resource that was originally requested.
HTML redirection causes WebSEAL to send a static page back to the browserinstead of a 302 redirect. WebSEAL can then use the Java™Script or any other codethat is embedded in this static page to process the redirect.
You can use the html-redirect configuration entry, which is also in the [acnt-mgt]stanza, to specify the page that contains the HTML redirection.
For more information about HTML redirection, see the IBM Security Web GatewayAppliance: Configuration Guide for Web Reverse Proxy.
Note: If you enable this configuration entry, you must not specify a value for thelogin-redirect-page entry, which is also in the [acnt-mgt] stanza.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
no
Exampleenable-html-redirect = no
enable-local-response-redirect
Syntaxenable-local-response-redirect = {yes|no}
Description
Enable or disable sending a redirection to a response application instead of servingmanagement or error pages from the local system.
Stanza reference 7
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [acnt-mgt:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
no
Exampleenable-local-response-redirect = no
enable-passwd-warn
Syntaxenable-passwd-warn = {yes|no}
Description
Enable WebSEAL to detect the attribute REGISTRY_PASSWORD_EXPIRE_TIME added toa users' credential when the LDAP password policy indicates that their passwordis soon to expire. The value of this attribute is the number of seconds until theirpassword expires. When this attribute is detected, at login to WebSEAL, apassword warning form will appear.
NOTE: This option must be set in order to use the associated options, which arealso in the [acnt-mgt] stanza: passwd-warn and passwd-warn-failure. Thecorresponding Security Access Manager LDAP option must be enabled ([ldap]enhanced-pwd-policy=yes) and supported for the particular LDAP registry type.
Options
yes Enable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME to ultimatelywarn the user when their password is soon to expire.
no Disable the detection of the REGISTRY_PASSWORD_EXPIRE_TIME attribute.WebSEAL will not be able to notify users when their passwords are soonto expire.
Usage
This stanza entry is optional.
8 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
The option will default to yes if it is not specified in the configuration file.
NOTE: The value for this option in the template configuration file is no.
Exampleenable-passwd-warn = yes
enable-secret-token-validationSyntaxenable-secret-token-validation = {true|false}
Description
Use this entry to enable secret token validation, which protects certain WebSEALaccount management pages against cross-site request forgery (CSRF) attacks. If youset this entry to true, WebSEAL adds a token to each session and validates the"token" query argument for the following account management requests:v /pkmslogin.formv /pkmslogoutv /pkmslogout-nomasv /pkmssu.formv /pkmsskipv /pkmsdisplacev /pkmspaswd.form
For example, you must change the /pkmslogout request topkmslogout?token=<value>, where <value> is the unique session token.
If secret token validation is enabled and the token argument is missing from therequest or does not match the session token, WebSEAL returns an error page. Formore information about secret token validation, search for "CSRF" in the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.
Options
true WebSEAL uses secret token validation to protect against CSRF attacks.
Note: This setting modifies the URLs for the affected WebSEALmanagement pages. Each of these management requests must contain a"token" argument with the current session token.
false WebSEAL does not use secret token validation.
Usage
This stanza entry is optional.
Default value
false
Exampleenable-secret-token-validation = true
Stanza reference 9
help
Syntaxhelp = filename
Description
Page containing links to valid administration pages.
Options
filenamePage containing links to valid administration pages.
Usage
This stanza entry is required.
Default value
help.html
Examplehelp = help.html
http-rsp-header
Syntaxhttp-rsp-header = header-name:macro
Description
Inserts custom headers whenever WebSEAL returns a custom response to theclient.
Options
header-nameThe name of the header that holds the value.
macro That type of value to be inserted. This parameter can be one of thefollowing values:v TAM_OPv AUTHNLEVELv ERROR_CODEv ERROR_TEXTv CREDATTR(<name>), where <name> is the name of the credential
attribute.v USERNAME
Usage
This stanza entry is optional.
10 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: You can specify this entry multiple times to include multiple headers in theresponse.
Default value
None.
Example
The following example inserts the Security Access Manager error code in aresponse header named tam-error-code:http-rsp-header = tam-error-code:ERROR_CODE
html-redirect
Syntaxhtml-redirect = filename
Description
Specifies the standard HTML redirection page.
Options
filenameStandard HTML redirection page.
Usage
This stanza entry is required.
Default value
redirect.html.
Examplehtml-redirect = redirect.html
login
Syntaxlogin = filename
Description
Standard login form.
Options
filenameStandard login form.
Usage
This stanza entry is required.
Stanza reference 11
Default value
login.html
Examplelogin = login.html
login-redirect-page
Syntaxlogin-redirect-page = destination
Description
Page to which users are automatically redirected after completing a successfulauthentication. The configured redirect destination can be either:v A server-relative Uniform Resource Locator (URL), orv An absolute URL, orv A macro which allows dynamic substitution of information from WebSEAL.
The supported macros include:
%AUTHNLEVEL%Level at which the session is currently authenticated.
%HOSTNAME%Fully qualified host name.
%PROTOCOL%The client connection protocol used. Can be HTTP or HTTPS.
%URL%The original URL requested by the client.
%USERNAME%The name of the logged in user.
%HTTPHDR{name}%The HTTP header that corresponds to the specified name. For example:%HTTPHDR{Host}%
%CREDATTR{name}%The credential attribute with the specified name. For example:%CREDATTR{tagvalue_session_index}%
Note: You cannot use this configuration entry if the enable-js-redirect entry (alsoin the [acnt-mgt] stanza) is set to yes. These redirects are not compatible with oneanother.
Options
destinationUniform Resource Locator (URL) to which users are automaticallyredirected after login, or a macro for dynamic substitution of informationfrom WebSEAL.
Usage
This stanza entry is optional.
12 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
None.
Example
Example of a server relative URL:login-redirect-page = /jct/page.html
Example of an absolute URL:login-redirect-page = http://www.ibm.com/
Example that uses a macro:login-redirect-page = /jct/intro-page.html?level=%AUTHNLEVEL%&url=%URL%
login-success
Syntaxlogin-success = filename
Description
Page displayed after successful login.
Options
filenamePage displayed after successful login.
Usage
This stanza entry is required.
Default value
login_success.html
Examplelogin-success = login_success.html
logout
Syntaxlogout = filename
Description
Page displayed after successful logout.
Options
filenamePage displayed after successful logout.
Stanza reference 13
Usage
This stanza entry is required.
Default value
logout.html
Examplelogout = logout.html
passwd-change
Syntaxpasswd-change = filename
Description
Page containing a change password form.
Options
filenamePage containing a change password form.
Usage
This stanza entry is required.
Default value
passwd.html
Examplepasswd-change = passwd.html
passwd-change-failure
Syntaxpasswd-change-failure = filename
Description
Page displayed when password change request fails.
Options
filenamePage displayed when password change request fails.
Usage
This stanza entry is required.
14 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
passwd.html
Examplepasswd-change-failure = passwd.html
passwd-change-success
Syntaxpasswd-change-success = filename
Description
Page displayed when password change request succeeds.
Options
filenamePage displayed when password change request succeeds.
Usage
This stanza entry is required.
Default value
passwd_rep.html
Examplepasswd-change-success = passwd_rep.html
passwd-expired
Syntaxpasswd-expired = filename
Description
Page displayed when the user authentication fails due to an expired userpassword.
Options
filenamePage displayed when the user authentication fails due to an expired userpassword.
Usage
This stanza entry is required.
Default value
passwd_exp.html
Stanza reference 15
Examplepasswd-expired = passwd_exp.html
passwd-warn
Syntaxpasswd-warn = filename
Description
Page displayed after login if WebSEAL detects the LDAP password is soon toexpire.
NOTE: This option has no effect unless enable-passwd-warn (also in the[acnt-mgt] stanza) is set to yes and the corresponding Security Access ManagerLDAP option is also enabled ([ldap] enhanced-pwd-policy=yes). This LDAP optionmust be supported for the particular LDAP registry type.
Options
filenamePage displayed as a warning that the LDAP password is soon to expire.
Usage
This stanza entry is required.
Default value
None.
NOTE: The value for this option in the template configuration file ispasswd_warn.html.
Examplepasswd-warn = passwd_warn.html
passwd-warn-failure
Syntaxpasswd-warn-failure = filename
Description
Page displayed if the user fails to change their password after being notified thatthe LDAP password is soon to expire. This page gives the user another chance tochange their password and indicates the cause of the error.
NOTE: This option has no effect unless enable-passwd-warn (also in the[acnt-mgt] stanza) is set to yes and the corresponding Security Access ManagerLDAP option is also enabled ([ldap] enhanced-pwd-policy=yes). This LDAP optionmust be supported for the particular LDAP registry type.
16 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
filenamePage displayed if the user does not change their password after receivingnotification that the LDAP password is soon to expire.
Usage
This stanza entry is required.
Default value
None.
NOTE: The value for this option in the template configuration file ispasswd_warn.html.
Examplepasswd-warn-failure = passwd_warn.html
redirect-to-root-for-pkms
Syntaxredirect-to-root-for-pkms = {yes|no}
Description
In older releases, WebSEAL would, in rare cases, redirect clients to the documentroot directory instead of returning the login success page following a successfulauthentication. This behavior was eliminated in later releases. Setredirect-to-root-for-pkms to yes to restore the previous behavior.
Options
yes Restore previous behavior.
no Maintain default behavior.
Usage
This stanza entry is required.
Default value
no
Exampleredirect-to-root-for-pkms = no
single-signoff-uri
Syntaxsingle-signoff-uri = URI
Stanza reference 17
Description
When a user session is terminated in WebSEAL, any sessions that might exist onbackend application servers are not destroyed. You can use this configuration entryto change this default behavior.
When a WebSEAL user session is terminated and this stanza entry is configured,WebSEAL sends a request to the resource specified by the configured URI. Therequest contains any configured headers and cookies for the junction point onwhich the resource resides. The backend application can use this information toterminate any sessions for that user.
Note: You can configure more than one single-sign-off-uri entry to send a requestto multiple URIs.
Options
URI
The resource identifier of the application that receives the single signoffrequest from WebSEAL.
Note: The URI must be server relative and correspond to a resource on astandard junction.
Usage
This stanza entry is optional.
Default value
None.
Examplesingle-signoff-uri = /management/logoff
stepup-login
Syntaxstepup-login = filename
Description
Step-up authentication login form.
Options
filenameStep-up authentication login form.
Usage
This stanza entry is required.
Default value
stepuplogin.html
18 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Examplestepup-login = stepuplogin.html
switch-user
Syntaxswitch-user = filename
Description
Switch user management form.
Options
filenameSwitch user management form.
Usage
This stanza entry is required.
Default value
switchuser.html
Exampleswitch-user = switchuser.html
temp-cache-response
Syntaxtemp-cache-response = filename
Description
The default page that WebSEAL returns if no URL redirect is supplied with thepkmstempsession request. The pkmstempsession page is accessed to achieve sessionsharing with Microsoft Office applications. For more information about sharingsessions with Microsoft Office applications, see the IBM Security Web GatewayAppliance: Configuration Guide for Web Reverse Proxy.
Options
filenameThe default page that WebSEAL returns for a pkmstempsession request.
Usage
This stanza entry is optional.
Default value
temp_cache_response.html
Stanza reference 19
Exampletemp-cache-response = temp_cache_response.html
too-many-sessions
Syntaxtoo-many-sessions = filename
Description
Page displayed when a user has too many concurrent sessions and must eithercancel their new login or terminate the other sessions.
Options
filenamePage displayed when a user has too many concurrent sessions and musteither cancel their new login or terminate the other sessions.
Usage
This stanza entry is required.
Default value
too_many_sessions.html
Exampletoo-many-sessions = too_many_sessions.html
use-restrictive-logout-filenames
Syntaxuse-restrictive-logout-filenames = {yes|no}
Description
Control the restrictions normally enforced on the name of the /pkmslogout customresponse file.
Options
yes Use default restrictions to enforce the name of the /pkmslogout customresponse file.
no Only slash (/), backslash (\), characters outside of the ASCII range 0x20 -0x7E, and filenames that begin with a period (.) will be disallowed.
Usage
This stanza entry is required.
Default value
yes
20 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleuse-restrictive-logout-filenames = yes
use-filename-for-pkmslogout
Syntaxuse-filename-for-pkmslogout = {yes|no}
Description
Controls whether or not the appended query string (specifying a custom responsepage) in a pkmslogout command is used to override the default response page.
Options
yes Enables the operation of the query string. If a query string in apkmslogout URL specifies a custom response page, that custom page isused instead of the default page.
no Disables the operation of the query string. Any query string in apkmslogout URL that specifies a custom response page is ignored. Onlythe default response page is used upon logout.
Usage
This stanza entry is required.
Default value
no
Exampleuse-filename-for-pkmslogout = yes
[auth-cookies] stanza
cookie
Syntaxcookie = cookie-name
Description
Specifies HTTP cookies to be used for authentication.
Note: This option is enabled only when the http-headers-auth option in the[http-headers] stanza is configured for http, https, or both.
Options
cookie-nameName of HTTP cookie to be used for authentication.
Stanza reference 21
Usage
This stanza entry is optional.
Default value
None.
Examplecookie = authcookie
[authentication-levels] stanza
level
Syntaxlevel = method-name
Description
Step-up authentication levels. WebSEAL enables authenticated users to increase theauthentication level by use of step-up authentication. This key=value pair specifieswhich step-up authentication levels are supported by this WebSEAL server.
Do not specify an authentication level unless the authentication method is enabled.For example, you must enable either basic authentication or forms authenticationbefore you set level = password.
Enter a separate key=value pair for each supported level. Supported levels include:v unauthenticatedv passwordv sslv ext-auth-interface
The position of the entry in the file dictates the associated authentication level. Thefirst row, typically unauthenticated, is associated with authentication level of 0.Each subsequent line is associated with the next higher level. You can add multipleentries for the same method.
It is possible for the method to set the authentication level itself. For example, anExternal Authentication Interface (EAI) implementation might set eitherauthentication level of 2 or 3 depending on the authentication transaction that theclient undertakes.
The EAI can set this authentication level directly in the identity attributes returnedto WebSEAL. To support this implementation, you can create two identical lines inpositions 3 and 4. For example:level = unauthenticated (associated with level 0)level = password (associated with level 1)level = ext-auth-interface (associated with level 2)level = ext-auth-interface (associated with level 3)
22 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
method-nameName of authentication method.
Usage
This stanza entry is required.
Default value
unauthenticated
password
Examplelevel = unauthenticatedlevel = password
[aznapi-configuration] stanza
audit-attribute
Syntaxaudit-attribute = attribute
Description
Attributes to be audited.
Options
attributeAttributes to be audited.
Usage
This stanza entry is required.
Default value
tagvalue_su-admin
Exampleaudit-attribute = tagvalue_su-admin
auditcfg
Syntaxauditcfg = {azn|authn|http}
Description
Indicates the components for which auditing of events is configured. To enablecomponent specific audit records, add the appropriate definition.
Stanza reference 23
Options
azn Capture authorization events.
authn Capture authentication events.
http Capture HTTP events. These correspond to the events logged by therequest, referer, and agent logging clients.
Usage
This stanza entry is optional for WebSEAL. However, this stanza entry is requiredwhen auditing is enabled (logaudit = yes).
Default value
There is no default value for WebSEAL, because auditing is disabled by default.
Example
Create a separate stanza entry for each component to be activated. The componentsare included in the default configuration file but are commented out. To activate acommented out entry, remove the pound sign (#) from the start of the entry.
Example:auditcfg = azn#auditcfg = authn#auditcfg = http
auditlog
Syntaxauditlog = file_name
Description
Name of the audit trail file for WebSEAL.
Options
file_nameThe file name value represents an alphanumeric string.
Usage
This stanza entry is required when auditing is enabled.
Default value
aznapi_webseald-<instance_name>.log.
where:
<instance_name>The WebSEAL instance name. For example, default.
Exampleauditlog = aznapi_webseald-default.log
24 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
cache-refresh-interval
Syntaxcache-refresh-interval = {disable|default|number_of_seconds}
Description
Poll interval between checks for updates to the master authorization server.
Options
disableThe interval value in seconds is not set.
defaultWhen value is to default, an interval of 600 seconds is used.
number_of_secondsInteger value indicating the number of seconds between polls to the masterauthorization server to check for updates.
The minimum number of seconds is 0. There is no maximum value.
Usage
This stanza entry is optional.
Default value
disable
Examplecache-refresh-interval = disable
cred-attribute-entitlement-services
Syntaxcred-attribute-entitlement-services = service-ID
Description
Enables the credential policy entitlements service.
Options
service-IDID of service.
Usage
This stanza entry is optional.
Default value
TAM_CRED_POLICY_SVC
Stanza reference 25
Examplecred-attribute-entitlement-services = TAM_CRED_POLICY_SVC
dynamic-adi-entitlement-services
Syntaxdynamic-adi-entitlement-services = service-ID
Description
A list of configured entitlements service IDs that are queried by the rules engine ifmissing ADI is detected during an authorization rule evaluation.
Options
service-IDService ID that is queried by the rules engine if missing ADI is detectedduring an authorization rule evaluation.
Usage
This stanza entry is optional.
Default value
None.
Exampledynamic-adi-entitlement-services = AMWebARS_A
input-adi-xml-prolog
Syntaxinput-adi-xml-prolog = prolog
Description
The prolog to be added to the top of the XML document that is created using theAuthorization Decision Information (ADI) needed to evaluate a booleanauthorization rule.
Options
prolog The prolog to be added to the top of the XML document that is createdusing the Authorization Decision Information (ADI) needed to evaluate aboolean authorization rule.
Usage
This stanza entry is optional.
Default value
<?xml version=’1.0’ encoding=’UTF-8’?>
26 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleinput-adi-xml-prolog = <?xml version=’1.0’ encoding=’UTF-8’?>
listen-flags
Syntaxlisten-flags = {enable|disable}
Description
Enables or disables the reception by WebSEAL of policy cache update notificationsfrom the master authorization server.
Options
enableActivates the notification listener.
disableDeactivates the notification listener.
Usage
This stanza entry is required.
Default value
disable
Examplelisten-flags = enable
logaudit
Syntaxlogaudit = {yes|true|no|false}
Description
Enables or disables auditing.
Options
yes Enable auditing.
true Enable auditing.
no Disable auditing.
false Disable auditing.
Usage
This stanza entry is required.
Default value
no
Stanza reference 27
Examplelogaudit = no
logclientid
Syntaxlogclientid = webseald
Description
Name of the daemon whose activities are audited through use of authorization APIlogging.
Options
websealdName of the daemon whose activities are audited through use ofauthorization API logging.
Usage
This stanza entry is required.
Default value
webseald
Examplelogclientid = webseald
logcfg
Syntaxlogcfg = category:{stdout|stderr|file|remote|rsyslog}[ [parameter=value ][,parameter=value]...]
Description
Specifies event logging for the specified category.
Options
Specifies event logging for the specified category.
For WebSEAL, the categories are:
audit.aznAuthorization events.
audit.authnCredentials acquisition authentication.
http All HTTP logging information.
http.clfHTTP request information as defined by the request-log-formatconfiguration entry in the [logging] stanza.
28 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
http.refHTTP Referer header information.
http.agentHTTP User_Agent header information
{stdout|stderr|file|remote|rsyslog}Event logging supports a number of output destination types. WebSEALauditing typically is configured to use the file type.
parameter = value
Each event logging type supports a number of optional parameter = valueoptions.
For more information about output destination types and optionalparameter = value settings, see the IBM Security Access Manager for Web:Administration Guide.
Usage
This stanza entry is optional.
Default value
None.
Example
Example entry for request.log (common log format) (entered as one line):logcfg = http.clf:file path=request_file,flush=time,rollover=max_size,log_id=httpclf,buffer_size=8192,queue_size=48
logflush
Syntaxlogflush = number_of_seconds
Description
Integer value indicating the frequency, in seconds, to force a flush of log buffers.
Options
number_of_seconds
The minimum value is 1 second.
The maximum value is 600 seconds.
Usage
This stanza entry is optional.
Default value
20
Stanza reference 29
Examplelogflush = 20
logsize
Syntaxlogsize = number_of_bytes
Description
Integer value indicating the size limit of audit log files. The size limit is alsoreferred to as the rollover threshold. When the audit log file reaches this threshold,the original audit log file is renamed and a new log file with the original namewill be created.
Options
number_of_bytes
When the value is zero (0), no rollover log file is created.
When the value is a negative integer, the logs are rolled over daily,regardless of the size.
When the value is a positive integer, the value indicates the maximum size,in bytes, of the audit log file before the rollover occurs. The allowablerange is from 1 byte to 2 megabytes
Usage
This stanza entry is optional.
Default value
2000000
Examplelogsize = 2000000
permission-info-returned
Syntaxpermission-info-returned = permission-attribute
Description
Specifies the permission information returned to the resource manager (forexample, WebSEAL) from the authorization service.
Options
permission-attribute
The azn_perminfo_rules_adi_request setting allows the authorizationservice to request ADI from the current WebSEAL client request. Theazn_perminfo_reason_rule_failed setting specifies that rule failure reasonsbe returned to the resource manager (this setting is required for –Rjunctions).
30 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
To enable the Privacy Redirection capabilities of the AMWebARS WebService, the azn_perminfo_amwebars_redirect_url must be included.
Usage
This stanza entry is optional.
Default value
azn_perminfo_rules_adi_request azn_perminfo_reason_rule_failed
Examplepermission-info-returned = azn_perminfo_rules_adi_requestazn_perminfo_reason_rule_failed
policy-attr-separator
Syntaxpolicy-attr-separator = separator
Description
Specifies the character that WebSEAL uses for the following services:v Credential policy entitlements service.v Registry entitlements service.
Note: For the credential policy entitlements service to work properly, a user's DNcannot contain the specified separator. If the user DN contains this separator thenWebSEAL fails when attempting to retrieve the user's policy attributes.
Options
separator
The character that WebSEAL uses for the credential policy entitlementsservice and the registry entitlements service. Ensure that the chosencharacter is not present in any User DN values.
Usage
This stanza entry is optional.
Default value
By default, WebSEAL uses colon (:) as the separator for these services.
Examplepolicy-attr-separator = #
policy-cache-size
Syntaxpolicy-cache-size = cache_size
Stanza reference 31
Description
The maximum size of the in-memory policy cache is configurable. The cacheconsists of policy and the relationships between policy and resources. Theknowledge that a resource has no directly associated policy is also cached.
Options
cache_size
The maximum cache size should be relative to the number of policy objectsdefined and the number of resources protected and the available memory.
A reasonable algorithm to begin with is: (number of policy objects * 3) +(number of protected resources * 3)
This value controls how much information is cached. A larger cache willpotentially improve the application performance but use additionalmemory as well.
Size is specified as the number of entries.
Usage
This stanza entry is optional.
Default value
None.
Examplepolicy-cache-size = 32768
resource-manager-provided-adi
Syntaxresource-manager-provided-adi = prefix
Description
A list of string prefixes that identify Authorization Decision Information (ADI) tobe supplied by the resource manager (in this case, WebSEAL).
Options
prefix The default settings below tell the authorization engine that when itrequires ADI with the prefixes AMWS_hd_, AMWS_qs_ ,or AMWS_pb_ toevaluate a boolean authorization rule, and the ADI is not available ineither the credential or application context passed in with the accessdecision call, that the engine should fail the access decision and requestthat the resource manager retry the request and provide the required datain the application context of the next request.
Usage
This stanza entry is optional.
32 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
AMWS_hd_, AMWS_pb_, AMWS_qs_
Exampleresource-manager-provided-adi = AMWS_hd_resource-manager-provided-adi = AMWS_pb_resource-manager-provided-adi = AMWS_qs_
xsl-stylesheet-prolog
Syntaxxsl-stylesheet-prolog = prolog
Description
The prolog to be added to the top of the XSL stylesheet that is created using theXSL text that defines a boolean authorization rule.
Options
prolog The prolog to be added to the top of the XSL stylesheet that is createdusing the XSL text that defines a boolean authorization rule.
Usage
This stanza entry is optional.
Default value
<?xml version=’1.0’ encoding=’UTF-8’?> <xsl:stylesheet xmlns:xsl=’http://www.w3.org/1999/XSL/Transform’ version=’1.0’> <xsl:output method = ’text’omit-xml-declaration=’yes’ indent=’no’/> <xsl:template match=’text()’></xsl:template>
Examplexsl-stylesheet-prolog = <?xml version=’1.0’ encoding=’UTF-8’?><xsl:stylesheet xmlns:xsl=’http://www.w3.org/1999/XSL/Transform’version=’1.0’> <xsl:output method = ’text’ omit-xml-declaration=’yes’indent=’no’/> <xsl:template match=’text()’> </xsl:template>
[azn-decision-info] stanza
azn-decision-info
Syntax<attr-name> = <http-info>
Description
This stanza defines any extra information that is available to the authorizationframework when making authorization decisions. This extra information can beobtained from various elements of the HTTP request, namely:v HTTP methodv HTTP scheme
Stanza reference 33
v HTTP cookiesv Request URIv HTTP headersv POST data
If the requested element is not in the HTTP request, no corresponding attribute isadded to the authorization decision information.
Options
<attr-name>The name of the attribute that contains the HTTP information.
<http-info>The source of the information. It can be one of the following values:v methodv schemev uriv header:<header-name>v post-data:<post-data-name>v cookie:<cookie-name>
Usage
This stanza entry is optional.
Default value
N/A
ExampleHTTP_REQUEST_METHOD = methodHTTP_HOST_HEADER= header:Host
[ba] stanza
ba-auth
Syntaxba-auth = {none|http|https|both}
Description
Enables authentication using the Basic Authentication mechanism.
When basic authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.
Options
{none|http|https|both}
Specifies which protocols are supported. The value both means both HTTPand HTTPS.
34 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
https
Exampleba-auth = https
basic-auth-realm
Syntaxbasic-auth-realm = Realm_name
Description
String value that specifies the realm name.
Options
Realm_name
This name is displayed in the browser's dialog box when the user isprompted for login information. The string must consist of ASCIIcharacters, and can contain spaces.
Usage
This stanza entry is optional.
Default value
Access Manager
Examplebasic-auth-realm = Access Manager
[cdsso] stanza
authtoken-lifetime
Syntaxauthtoken-lifetime = number_of_seconds
Description
Positive integer that expresses the number of seconds for which the single signonauthentication token is valid.
Options
number_of_secondsMinimum value: 1. There is no maximum value.
Stanza reference 35
Usage
This stanza entry is required.
Default value
180
Exampleauthtoken-lifetime = 180
cdsso-argument
Syntaxcdsso-argument = argument_name
Description
Name of the argument containing the cross-domain single signon token in a querystring in a request. This is used to identify incoming requests that contain CDSSOauthentication information.
Options
argument_nameName of the argument containing the cross-domain single signon token ina query string in a request. Valid characters are any ASCII characters,except for question mark ( ? ), ampersand ( & ), and equals sign ( = ).
Usage
This stanza entry is required.
Default value
PD-ID
Examplecdsso-argument = PD-ID
cdsso-auth
Syntaxcdsso-auth = {none|http|https|both}
Description
Enables WebSEAL to accept tokens. Requires that an authentication mechanism isspecified for the token consume (sso-consume) library in the [authentication-mechanisms] stanza.
Options
{none|http|https|both}Specifies which protocols are supported. The value both means both HTTPand HTTPS.
36 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
none
Examplecdsso-auth = none
cdsso-create
Syntaxcdsso-create = {none|http|https|both}
Description
Enables WebSEAL to accept tokens. Requires that an authentication mechanism isspecified for the token create (sso-create) library in the [authentication-mechanisms] stanza.
Options
{none|http|https|both}Specifies which protocols are supported. The value both means both HTTPand HTTPS.
Usage
This stanza entry is required.
Default value
none
Examplecdsso-create = none
clean-cdsso-urls
Syntaxclean-cdsso-urls = {yes|no}
Description
The cdsso-argument (PD-ID) and PD-REFERER query string arguments can bepassed to junctions. When this option is set to yes, these will be removed from theURI before the request is passed to the junction.
Options
yes The argument containing the CDSSO token in a request query string andthe PD-REFERER query string argument are removed from the URI beforethe request is passed to the junction.
Stanza reference 37
no The CDSSO and PD-REFERER arguments are not removed from the URIbefore the request is passed to the junction.
Usage
This stanza entry is required.
Default value
no
Exampleclean-cdsso-urls = no
propagate-cdmf-errors
Syntaxpropagate-cdmf-errors = {yes|no}
Description
Controls subsequent behavior of the token creation process when thecdmf_get_usr_attributes call fails to obtain the required extended attributeinformation and returns an error.
Options
yes A "yes" value forces the token creation process to abort when CDMF failsto obtain attributes and returns an error.
no A "no" value (default) allows the token creation process to proceed evenwhen CDMF fails to obtain attributes and returns an error.
Usage
This stanza entry is not required.
Default value
no
Examplepropagate-cdmf-errors = no
use-utf8
Syntaxuse-utf8 = {true|false}
Description
Use UTF–8 encoding for tokens used in cross domain single signon. Beginningwith version 5.1, WebSEAL servers use UTF-8 encoding by default. For moreinformation about multi-locale support with UTF-8, see the IBM Security WebGateway Appliance: Configuration Guide for Web Reverse Proxy.
38 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
true When this stanza entry is set to true, tokens can be exchanged with otherWebSEAL servers that use UTF-8 encoding. This configuration enablestokens to be used across different code pages (such as for a differentlanguage).
false For backward compatibility with tokens created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to false.
Usage
This stanza entry is required.
Default value
true
Exampleuse-utf8 = true
[cdsso-incoming-attributes] stanza
attribute_pattern
Syntaxattribute_pattern = {preserve|refresh}
Description
Attributes to accept from incoming CDSSO authentication tokens.
The attributes typically match those declared in the [cdsso-token-attributes] stanzafor the WebSEAL server in the source domain.
The attribute_pattern can be either a specific value or can be a pattern that usesstandard Security Access Manager wildcard characters ( *, [], ^, \, ?).
The order of attribute_pattern entries is important. The first entry that matches theattribute is used. Other entries are ignored.
Options
preserveAttributes matching a preserve entry, or matching none of the entries, arekept. If no entries are configured, then all attributes are kept.
refreshAttributes in CDSSO authentication tokens that match a refresh entry areremoved from the token before the CDMF library is called to map theremote user into the local domain.
Usage
This stanza entry is optional.
Stanza reference 39
Default value
None.
Examplemy_cred_attr1 = preserve
[cdsso-peers] stanza
fully_qualified_hostname
Syntaxfully_qualified_hostname = key_file
Description
List of peer servers that are participating in cross-domain single-sign on.
Options
key_fileThe name of server's key file.
Usage
This stanza entry is optional.
Default value
None.
Examplewebhost2.ibm.com = cdsso.key
[cdsso-token-attributes] stanza
<default>
Syntax<default> = pattern1[<default> = pattern2 ]...[<default> = patternN]
Description
Credential attributes to include in CDSSO authentication tokens.
When WebSEAL cannot find a domain_name entry to match the domain, the entriesin <default> are used. The word <default> is a key word and must not bemodified.
40 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
pattern The value for each <default> entry can be either a specific value or can bea pattern that uses standard Security Access Manager wildcard characters (*, [], ^, \, ?).
Usage
This stanza entry is optional.
Default value
None.
Example<default> = my_cdas_attr_*
domain_name
Syntaxdomain_name = pattern1[domain_name = pattern2]...[domain_name = patternN]
Description
Credential attributes to include in CDSSO authentication tokens.
Options
domain_nameThe domain_name specifies the destination domain containing the serverthat will consume the token.
pattern The value for each domain_name entry can be either a specific value or canbe a pattern that uses standard Security Access Manager wildcardcharacters ( *, [], ^, \, ?).
Usage
This stanza entry is optional.
Default value
None.
Exampleexample1.com = my_cdas_attr_*example1.com = some_exact_attribute
Stanza reference 41
[certificate] stanza
accept-client-certs
Syntaxaccept-client-certs = {never|required|optional|prompt_as_needed}
Description
Specifies how to handle certificates from HTTPS clients.
When certificate authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.
Options
never Never request a client certificate
requiredAlways request a client certificate. Do not accept the connection if theclient does not present a certificate. When this value is set to required, allother authentication settings are ignored for HTTPS clients.
optionalAlways request a client certificate. If presented, use it.
prompt_as_neededDo not prompt for a client certificate until the client attempts to access aresource that requires certificate authentication.
Note: When this value is set, ensure that the ssl-id-sessions stanza entryin the [session] stanza is set to no.
Usage
This stanza entry is required.
Default value
never
Exampleaccept-client-certs = never
cert-cache-max-entries
Syntaxcert-cache-max-entries = number_of_entries
Description
Maximum number of concurrent entries in the Certificate SSL ID cache.
42 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
number_of_entriesThere is no absolute maximum size for the cache. However, the size of thecache cannot exceed the size of the SSL ID cache. A maximum size of 0allows an unlimited cache size.
Usage
This stanza entry is required only when the accept-client-certs key is set toprompt_as_needed.
Default value
1024
Examplecert-cache-max-entries = 1024
cert-cache-timeout
Syntaxcert-cache-timeout = number_of_seconds
Description
Maximum lifetime, in seconds, for an entry in the Certificate SSL ID cache.
Options
number_of_secondsThe minimum value is zero (0). A value of zero mean that when the cacheis full, the entries are cleared based on a Least Recently Used algorithm.
Usage
This stanza entry is required only when the accept-client-certs key is set toprompt_as_needed.
Default value
120
Examplecert-cache-timeout = 120
cert-prompt-max-tries
Syntaxcert-prompt-max-tries = number_of_tries
Description
During certificate authentication, WebSEAL prompts the browser to present theclient's certificate. The SSL certificate negotiation process requires that the browseropen and use a new (not existing) TCP connection.
Stanza reference 43
Browsers typically maintain several open TCP connections to a given server. WhenWebSEAL tries to prompt the browser for a certificate, the browser often tries toreuse an existing TCP connection instead of opening a new TCP connection.Therefore, the prompting process must be retried. WebSEAL might need to promptfor a certificate several times before the browser opens a new TCP connection andallows the prompting process to succeed.
This configuration option controls how many times WebSEAL attempts to beginthe SSL certificate negotiation process with the browser before assuming the clientcannot provide a certificate.
Options
number_of_tries
Set the value to 5 because most browsers maintain a maximum of fourTCP connections to a Web server. As each attempt by the browser toprocess the certificate prompts on an existing TCP connection fails, thatTCP connection is closed. On the fifth attempt, with all TCP connectionsclosed, the browser's only option is to open a new TCP connection.
If the value is set to less to 5, intermittent failures of certificateauthentication might occur because the browser reuses existing TCPconnections instead of opening a new TCP connection. These failures aremore likely to occur in environments where login or other pages containimages that browsers access immediately before triggering the certificateprompts.
Values less than 2 or greater than 15 are not permitted.
This value is not used unless accept-client-certs =prompt_as_needed.
Usage
This stanza entry is required.
Default value
5
Examplecert-prompt-max-tries = 5
disable-cert-login-page
Syntaxdisable-cert-login-page = {yes|no}
Description
Determines whether the initial login page with an option to prompt for certificateis presented or if WebSEAL will bypass the page and directly prompt for thecertificate.
44 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes The initial login page with an option to prompt for certificate is notpresented; instead, WebSEAL bypasses this page and directly prompts forthe certificate.
no The initial login page with an option to prompt for certificate is presented.
Usage
This stanza entry is required.
Default value
no
Exampledisable-cert-login-page = no
eai-data
Syntaxeai-data = data:header_name
Description
The client certificate data elements that will be passed to the EAI application.Multiple pieces of client certificate data can be passed to the EAI application byincluding multiple eai-data configuration entries.
Options
header_nameUsed to indicate the name of the HTTP header which will contain the data.
data Used to indicate the data that will be included in the header. It should beone of the following:v Base64Certificatev SerialNumberv SubjectCNv SubjectLocalityv SubjectStatev SubjectCountryv SubjectOrganizationv SubjectOrganizationalUnitv SubjectDNv SubjectPostalCodev SubjectEmailv SubjectUniqueIDv IssuerCNv IssuerLocalityv IssuerStatev IssuerCountry
Stanza reference 45
v IssuerOrganizationv IssuerOrganizationUnitv IssuerDNv IssuerPostalCodev IssuerEmailv IssuerUniqueIDv Versionv SignatureAlgorithmv ValidFromv ValidFromExv ValidTov ValidToExv PublicKeyAlgorithmv PublicKeyv PublicKeySizev FingerprintAlgorithmv Fingerprint
Usage
This stanza entry is required for EAI based client certificate authentication.
Default value
no
Exampleeai-data = SubjectCN:eai-cneai-data = SubjectDN:eai-dn
eai-uri
Syntaxeai-uri = uri
Description
The resource identifier of the application which will be invoked to perform thecertificate authentication. This URI should be relative to the root web space of theWebSEAL server. If this configuration entry is not defined, the standard CDASauthentication mechanism will be used to handle the authentication.
Options
uri The resource identifier of the application which will be invoked to performthe certificate authentication. This URI should be relative to the root webspace of the WebSEAL server.
Usage
This stanza entry is required for EAI based client certificate authentication.
46 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
no
Exampleeai-uri = /jct/cgi-bin/eaitest/eaitest.pl
[cert-map-authn] stanza
debug-level
Syntaxdebug-level = level
Description
Controls the trace level for the authentication module.
Options
level Specifies the initial trace level, with 1 designating a minimal amount oftracing and 9 designating the maximum amount of tracing.
Note: You can also use the Security Access Manager pdadmin tracecommands to modify the trace level by using the trace component name ofpd.cas.certmap. This trace component is only available after the first HTTPrequest is processed.
Usage
This stanza entry is optional.
Default value
0
Note: A debug level of 0 results in no tracing output.
Exampledebug-level = 5
rules-file
Syntaxrules-file = file-name
Description
The name of the rules file that the CDAS can use for certificate mapping.
Options
file-nameThe name of the rules file for the certificate mapping CDAS.
Stanza reference 47
Usage
This stanza entry is required.
Default value
None.
Examplerules-file = cert-rules.txt
[cfg-db-cmd:entries] stanza
stanza::entry
Syntaxstanza::entry = {include|exclude}
Description
Specifies the configuration entries that will be imported or exported from theconfiguration database using the cfgdb server task commands. Each configurationentry is checked sequentially against each item in the [cfg-db-cmd:entries] stanzauntil a match is found. This first match then controls whether the configurationentry is included in, or excluded from, the configuration database. If no match isfound, the configuration entry is excluded from the configuration database.
Syntax
entry This field defines the stanza entry to be included or excluded. It maycontain any pattern matching characters.
stanza This field defines the stanza containing the data entry to be included orexcluded. It may contain any pattern matching characters.
Options
includeInclude the specified configuration entries when importing or exportingdata from the configuration database using the cfgdb server taskcommands.
excludeExclude the specified configuration entries when importing or exportingdata from the configuration database using the cfgdb server taskcommands.
Usage
This stanza entry is not required.
Default value
WebSEAL uses the values configured in the WebSEAL configuration file. See theWebSEAL configuration file template for the default entries.
48 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleserver::unix-root = includeldap::* = exclude*::* = include
[cfg-db-cmd:files] stanza
files
Syntax
Either:files = cfg(stanza::entry)
Or:files = file_name
Description
Defines the files that will be included (that is, imported or exported ) in theconfiguration database using the cfgdb server task commands.
Options
stanza This field specifies the name of the stanza that contains the entry with thename of the file to be included in the configuration database. Theconfiguration value defined by stanza and entry must contain the name ofthe file.
entry This field specifies the stanza entry that contains the name of the file to beincluded in the configuration database. The configuration value defined bystanza and entry must contain the name of the file.
file_nameThe name of the file.
Usage
This stanza entry is not required.
Default valuefile = cfg(ssl::webseal-cert-keyfile)file = cfg(ssl::webseal-cert-keyfile-stash)file = cfg(junction::jmt-map)file = cfg(server::dynurl-map)
Examplefile = cert-rules.txtfile = jmt.conffile = cfg(junction::jmt-map)
[cluster] stanza
Notes:
Stanza reference 49
v It is vital that this configuration stanza is not included in the configurationdatabase. The cluster::* = exclude configuration entry in the[cfg-db-cmd:entries] stanza ensures this exclusion.
v In addition to the configuration entries listed here, a config-version entry isadded at run time in a clustered environment. This configuration entry containsversion information about the current configuration. Do NOT manually edit thisversion information.
v All cluster members must be the same server type. You can cluster either:– WebSEAL servers that are running on Web Gateway appliances.– WebSEAL servers that are running on standard operating systems.
is-master
Syntaxis-master = {yes|no}
Description
Is this server the master for the WebSEAL cluster? You need to have a singlemaster for each cluster. Any modifications to the configuration of a cluster must bemade on the master.
Options
yes
This server is the master for the WebSEAL cluster.
no This server is not the master for the WebSEAL cluster. The name of themaster server must be specified in the master-name configuration entrythat is also in the [cluster] stanza.
Usage
This stanza entry is required in a clustered environment. This stanza entry is notrequired for a single server environment.
Default value
There is no default value.
Exampleis-master = no
master-name
Syntaxmaster-name = azn-name
Description
Defines the authorization server name of the master for the WebSEAL cluster.
50 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
azn-name
The authorization server name of the master.
Usage
This stanza entry is required if the value for is-master (also in the [cluster]stanza) is set to no. If the is-master entry is set to yes, WebSEAL ignores thismaster-name entry.
Default value
There is no default value.
Examplemaster-name = default-webseald-master.ibm.com
max-wait-time
Syntaxmax-wait-time = number
Description
Specifies the maximum amount of time to wait, in seconds, for a slave server to berestarted. This configuration entry is only applicable to the master server.
Options
number
The maximum number of seconds to wait for a slave server to be restarted.
Usage
This configuration entry is required if is-master (also in the [cluster] stanza) is setto yes.
Default value
60
Examplemax-wait-time = 60
[compress-mime-types] stanza
mime_type
Syntaxmime_type = minimum_doc_size:[compression_level]
Stanza reference 51
Description
Enables or disables HTTP compression based on the mime-type of the responseand the size of the returned document.
Options
mime_typeThe mime_type can contain a wild card pattern such as an asterisk ( * ) forthe subtype, or it can be "*/*" to match all mime-types.
minimum_doc_sizeThe minimum_doc_size is an integer than can be positive, negative or zero.A size of -1 means do not compress this mime-type. A size of 0 means tocompress the document regardless of its size. A size greater than 0 meansto compress the document only when its initial size is greater than or equalto minimum_doc_size.
compression_levelThe compression_level is an integer value between 1 and 9. The largernumber results in a higher amount of compression. Whencompression-level is not specified, a default level of 1 is used.
Usage
This stanza entry is optional.
Default value
*/* = -1
Exampleimage/* = -1text/html = 1000
[compress-user-agents] stanza
pattern
Syntaxpattern = {yes|no}
Description
Enables or disables HTTP compression based on the user-agent header sent byclients. This entry is used to disable compression for clients which send an"accept-encoding: gzip" HTTP header but do not actually handle gzipcontent-encodings properly. An example of a user agent is a browser, such asMicrosoft Internet Explorer 6.0
Options
yes Enables HTTP compression based on the user-agent header sent by clients.
no Disables HTTP compression based on the user-agent header sent by clients.
52 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is optional.
Default value
None.
Example*MSIE 6.0* = yes
[content] stanza
utf8-template-macros-enabled
Syntaxutf8-template-macros-enabled = {yes|no}
Description
Specifies how standard WebSEAL HTML files, such as login.html, have datainserted into them when %MACRO% strings are encountered.
This entry affects files in the management and errors directories. You can managethese directories from the Manage Reverse Proxy Management Root page of theLMI.
WebSEAL HTML pages use a UTF-8 character set by default. If you modify thecharacter set to specify the local code page, set this entry to no.
Options
yes When set to yes, data is inserted in UTF-8 format.
no When set to no, data is inserted in the local code page format.
Usage
This stanza entry is required.
Default value
yes
Exampleutf8-template-macros-enabled = yes
[content-cache] stanza
MIME_type
SyntaxMIME_type = cache_type:cache_size:maximum_age
Stanza reference 53
Description
List of entries that define the caches which WebSEAL uses to store documents inmemory.
Options
MIME_typeAny valid MIME type conveyed in an HTTP Content-Type: responseheader. This value may contain an asterisk to denote a wildcard ( * ). Avalue of */* represents a default object cache that holds any object thatdoes not correspond to an explicitly configured cache.
cache_typeDefines the type of backing store to use for the cache. Only memory cachesare supported.
cache_sizeThe maximum size, in kilobytes, to which the cache grows before objectsare removed according to a least-recently-used algorithm. The minimumallowable value is 1 kilobyte. WebSEAL reports an error and fails to start ifthe value is less than or equal to zero (0). WebSEAL does not impose amaximum allowable value.
def-max-ageSpecifies the maximum age (in seconds) if expiry information is missingfrom the original response. If no value is provided, a default maximum ageof 3600 (one hour) will be applied. The configured default maximum age isonly used when the cached response is missing the cache control headers:Cache-Control, Expires, and Last-Modified.
Note: If only Last-Modified is present, the maximum age will be calculatedas ten percent of the difference between the current time and thelast-modified time.
Usage
This stanza entry is optional.
Default value
None.
Exampletext/html = memory:2000:3600# image/* = memory:5000:3600# */* = memory:1000:3600
[content-encodings] stanza
extension
Syntaxextension = encoding_type
54 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Entries in this stanza map a document extension to an encoding type. Thismapping is used by WebSEAL to report the correct MIME type in its responsecontent-type header for local junction files. This mapping is necessary so thatWebSEAL can communicate to a browser that encoded (binary) data is beingreturned.
The MIME types defined in this stanza must also be defined in[content-mime-types].
When WebSEAL encounters a document with two extensions, such as: .txt.Z, itproduces two headers:content-type: text/plaincontent-encoding: x-compress
Thus even though the data is compressed, the response to the browser saystext/plain. However, the extra content-encoding header tells the browser that thedata is compressed text/plain.
In most cases, the administrator does not need to add additional entries. However,if the administrator introduces a new extension type that requires more than atext/plain response, the extension and encoding_type should be added to this stanza.
Options
encoding_typeEncoding type.
Usage
This stanza entry is required.
Default valuegz = x-gzipZ = x-compress
Examplegz = x-gzipZ = x-compress
[content-index-icons] stanza
type
Syntaxtype = relative_pathname
Description
Entries in this stanza specify icons to use in directory indices. Therelative_pathname is the path name to the location of the icon.
Administrators can add additional entries. The type must refer to valid MIMEtypes. The wildcard character (*) is limited to entries of one collection of MIME
Stanza reference 55
types. For example, image/*. No further wildcard expansion is done. For a list ofMIME types, see the [content-mime-types] stanza.
The relative_pathname can be any valid URI within the WebSEAL protected objectspace, as defined in doc-root.
Options
type The type indicates a wildcard pattern for a collection of MIME types.
relative_pathnameThe path name is relative to the WebSEAL protected object space, as set inthe doc-root entry in the [content] stanza.
Usage
The entries in this stanza are optional.
Default value
The WebSEAL configuration file provides the following default entries:image/* = /icons/image2.gifvideo/* = /icons/movie.gifaudio/* = /icons/sound2.giftext/html = /icons/generic.giftext/* = /icons/text.gifapplication/x-tar = /icons/tar.gifapplication/* = /icons/binary.gif
Exampleimage/* =/icons/image2.gif
[credential-policy-attributes] stanza
policy-name
Syntaxpolicy-name = credential-attribute-name
Description
Controls which Access Manager policy values are stored in credentials duringauthentication
Options
credential-attribute-nameCredential attribute name.
Usage
This stanza entry is optional.
Default value
None.
56 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ExampleAZN_POLICY_MAX_FAILED_LOGIN = tagvalue_max_failed_login
[credential-refresh-attributes] stanza
attribute_name_pattern
Syntaxattribute_name_pattern = {preserve|refresh}
Description
Specifies whether a attribute, or group of attributes that match a pattern, should bepreserved or refreshed during a credential refresh.
Options
preserveOriginal attribute value preserved in new credential.
refreshOriginal attribute value refreshed in new credential.
Usage
This stanza entry is optional.
Default value
preserve
Exampletagvalue_* = preserve
authentication_level
Syntaxauthentication_level = {preserve|refresh}
Description
Specifies whether the authentication level for the user should be preserved orrefreshed during a credential refresh. The authentication level can reflect the resultsof an authentication strength policy (step-up authentication). In most cases, thislevel should be preserved during a credential refresh.
Options
preserveOriginal attribute value preserved in new credential.
refreshOriginal attribute value refreshed in new credential.
Stanza reference 57
Usage
This stanza entry is required.
Default value
preserve
Exampleauthentication_level = preserve
[dsess] stanza
dsess-sess-id-pool-size
Syntaxdsess-sess-id-pool-size = number
Description
The maximum number of session IDs that are pre-allocated within the replica set.
Note: This option is used by the [dsess-cluster] stanza.
Options
numberThe maximum number of session IDs that are pre-allocated within thereplica set.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
125
Exampledsess-sess-id-pool-size = 125
dsess-cluster-name
Syntaxdsess-cluster-name = SMS cluster name
Description
Specifies the name of the SMS cluster to which this SMS server belongs.
58 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
SMS cluster nameThe name of the SMS cluster to which this SMS server belongs. This fieldmust be defined and reference an existing dsess-cluster stanza qualified bythe value of this entry.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
dsess
Exampledsess-cluster-name = dsess
[dsess-cluster] stanza
basic-auth-user
Syntaxbasic-auth-user = user_name
Description
Specifies the name of the user that is included in the basic authentication header.
Options
user_nameThe user name to be included in the basic authentication header.
Usage
This stanza entry is optional
Default value
None
Examplebasic-auth-user = user_name
basic-auth-passwd
Syntaxbasic-auth-passwd = password
Description
Specifies the password that is included in the basic authentication header.
Stanza reference 59
Options
passwordThe password to be included in the basic authentication header.
Usage
This stanza entry is optional
Default value
None
Examplebasic-auth-passwd = password
gsk-attr-name
Syntaxgsk-attr-name = {enum | string | number}:id:value
Description
Specify additional GSKit attributes to use when initializing an SSL connection withthe Session Management Server (SMS). A complete list of the available attributes isincluded in the GSKit SSL API documentation. This configuration entry can bespecified multiple times. Configure a separate entry for each GSKit attribute.
Options
{enum | string | number}The GSKit attribute type.
id The identity associated with the GSKit attribute.
value The value for the GSKit attribute.
Usage
This stanza entry is optional.
You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_CIPHER_V2GSK_V3_CIPHER_SPECSGSK_PROTOCOL_TLSV1GSK_FIPS_MODE_PROCESSING
If you attempt to modify any of these attributes then an error message will begenerated.
Default value
None.
60 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Example
The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:gsk-attr-name = string:225:proxy.ibm.com
See also
“gsk-attr-name” on page 284“jct-gsk-attr-name” on page 287“gsk-attr-name” on page 313
handle-idle-timeout
Syntaxhandle-idle-timeout = number
Description
Limits the length of time that a handle remains idle before it is removed from thehandle pool cache.
Options
numberThe length of time, in seconds, before an idle handle will be removed fromthe handle pool cache.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
240
Examplehandle-idle-timeout = 240
handle-pool-size
Syntaxhandle-pool-size = number
Description
The maximum number of idle Simple Access Object Protocol (SOAP) handles thatthe dsess client will maintain at any given time.
Options
numberThe maximum number of idle SOAP handles that the dsess client willmaintain at any given time.
Stanza reference 61
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
10
Examplehandle-pool-size = 10
response-by
Syntaxresponse-by = seconds
Description
The length of time (in seconds) that the dsess client will block to wait for updatesfrom the Session Management Server (SMS).
Options
secondsThe length of time (in seconds) that the dsess client will block to wait forupdates from the SMS.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
60
Exampleresponse-by = 60
server
Syntaxserver = {[0-9],}<URL>
Description
Specifies a priority level and URL for each SMS server that is a member of thiscluster. Multiple server entries can be specified for a given cluster.
62 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
0-9 A digit, 0-9, that represents the priority of the server within the cluster (9being the highest, 0 being the lowest). If the priority is not specified, apriority of 9 is assumed.
Note: There can be no space between the comma (,) and the URL. If nopriority is specified, the comma is omitted.
URL A well-formed HTTP or HTTPS uniform resource locator for the server.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
This entry is disabled by default.
Exampleserver = 9,http://sms.example.com/DSess/services/DSess
ssl-fips-enabled
Syntaxssl-fips-enabled = {yes|no}
Description
Determines whether Federal Information Process Standards (FIPS) mode is enabledon the session management server. If no configuration entry is present, the settingfrom the global setting—as determined by the ssl-fips-enabled entry in the [ssl]stanza of the policy server—takes effect. When set to "yes" or the setting in thepolicy server configuration file is set to "yes", Transport Layer Security (TLS)version 1 (TLSv1) is the secure communication protocol used. When set to "no" orthe setting in the policy server configuration file is set to "no", SSL version 3(SSLv3) is the secure communication protocol used.
Options
yes Indicates that TLSv1 is the secure communication protocol.
no Indicates that SSLv3 is the secure communication protocol.
Usage
This stanza entry is optional.
Default value
None.
If a different FIPS level than that of the policy server is required, it is theresponsibility of the administrator to edit the configuration file, uncomment thestanza entry, and specify this value.
Stanza reference 63
Examplessl-fips-enabled = yes
ssl-keyfile
Syntaxssl-keyfile = file_name
Description
The name of the key database file, which houses the client certificate to be used.
Options
file_nameThe name of the key database file that houses the client certificate forWebSEAL to use.
Usage
This stanza entry is only required if one or more of the cluster server URLsspecified in the server entries uses SSL (that is, contains an HTTPS protocolspecification in the URL). If no cluster server uses the HTTPS protocol, this entry isnot required. If this entry is required but is not specified in the [dsess-cluster]stanza, the value will be taken from the global [ssl] stanza.[session]dsess-enabled = yes
Default value
None.
Examplessl-keyfile = file_name
ssl-keyfile-label
Syntaxssl-keyfile-label = label_name
Description
The label of the client certificate within the key database.
Options
label_nameClient certificate label name.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
64 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: If this entry is required but is not specified in the [dsess-cluster] stanza, thevalue will be taken from the global [ssl] stanza.
Default value
None.
Examplessl-keyfile-label = label_name
ssl-keyfile-stash
Syntaxssl-keyfile-stash = file_name
Description
The name of the password stash file for the key database file.
Options
file_nameThe password stash file.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Note: If this entry is required but is not specified in the [dsess-cluster] stanza,the value will be taken from the global [ssl] stanza.
Default value
None.
Examplessl-keyfile-stash = file_name
ssl-valid-server-dn
Syntaxssl-valid-server-dn = certificate_DN
Description
Specifies the DN of the server (obtained from the server SSL certificate) that isaccepted. If no entry is configured, any valid certificate signed by a CA in the keyfile is accepted.
Options
value Specifies the DN of the server (obtained from the server SSL certificate)that is accepted. If no entry is configured, any valid certificate signed by aCA in the key file is accepted.
Stanza reference 65
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
None.
Examplessl-valid-server-dn = value
timeout
Syntaxtimeout = seconds
Description
The length of time (in seconds) to wait for a response to be received back from theSMS.
Options
secondsThe length of time (in seconds) to wait for a response to be received backfrom the SMS.
Usage
This stanza entry is required when:[session]dsess-enabled = yes
Default value
30
Exampletimeout = 30
[eai] stanza
eai-auth
Syntaxeai-auth = {none|http|https|both}
Description
Enables the external authentication interface.
66 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
{none|http|https|both}Enables the external authentication interface. No other externalauthentication interface parameters will take effect if set to "none".
Usage
This stanza entry is required.
Default value
none
Exampleeai-auth = none
eai-auth-level-header
Syntaxeai-auth-level-header = header-name
Description
Specifies the name of the header that contains the authentication strength level forthe generated credential.
Options
header-nameThe name of the header that contains the authentication strength level forthe generated credential.
Usage
This stanza entry is optional.
Default value
am-eai-auth-level
Exampleeai-auth-level-header = am-eai-auth-level
eai-flags-header
Syntaxeai-flags-header = header-name
Description
Specifies the name of the header that 'flags' the authentication response with extraprocessing information. WebSEAL supports the following header values as flags:
Stanza reference 67
streamCauses WebSEAL to stream the EAI authentication response back to theclient.
For more details, see the information about external authentication interfaceauthentication flags in the IBM Security Web Gateway Appliance: Configuration Guidefor Web Reverse Proxy.
Options
header-nameThe name of EAI flags header.
Usage
This stanza entry is optional.
Default value
am-eai-flags
Exampleeai-flags-header = am-eai-flags
eai-pac-header
Syntaxeai-pac-header = header-name
Description
Specifies the name of Privilege Attribute Certificate (PAC) header that containsauthentication data returned from the external authentication interface server.
Options
header-nameThe name of privilege attribute certificate (PAC) header that containsauthentication data returned from the external authentication interfaceserver.
Usage
This stanza entry is optional.
Default value
am-eai-pac
Exampleeai-pac-header = am-eai-pac
eai-pac-svc-header
Syntaxeai-pac-svc-header = header-name
68 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Specifies the name of the header that contains the service ID that is used to convertthe PAC into a credential.
Options
header-nameThe name of the header that contains the service ID that is used to convertthe PAC into a credential.
Usage
This stanza entry is optional.
Default value
am-eai-pac-svc
Exampleeai-pac-svc-header = am-eai-pac-svc
eai-redir-url-header
Syntaxeai-redir-url-header = header-name
Description
Specifies the name of the header that contains the URL a client is redirected toupon successful authentication.
Options
header-nameThe name of the header that contains the URL a client is redirected toupon successful authentication.
Usage
This stanza entry is optional.
Default value
am-eai-redir-url
Exampleeai-redir-url-header = am-eai-redir-url
eai-session-id-header
Syntaxeai-session-id-header = header-name
Stanza reference 69
Description
The name of the header that contains the session identifier of the distributedsession to be shared across multiple DNS domains.
Options
header-nameThe session identifier of the distributed session to be shared acrossmultiple DNS domains.
Usage
This stanza entry is required.
Default value
am-eai-session-id
Exampleeai-session-id-header = am-eai-session-id
eai-user-id-header
Syntaxeai-user-id-header = header-name
Description
Specifies the name of the header that contains the ID of the user used whengenerating a credential.
Options
header-nameThe name of the header that contains the ID of the user used whengenerating a credential.
Usage
This stanza entry is optional.
Default value
am-eai-user-id
Exampleeai-user-id-header = am-eai-user-id
eai-verify-user-identity
Syntaxeai-verify-user-identity = {yes|no}
70 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
During the EAI re-authentication process, this configuration entry determineswhether the new user identity must match the user identity from the previousauthentication.
Options
yes During EAI authentication, the new user identity is compared with theuser identity from the previous authentication. If the user identities do notmatch, an error is returned.
no EAI authentication proceeds without verifying the new user identity.
Usage
This stanza entry is optional.
Default value
no
Exampleeai-verify-user-identity = yes
eai-xattrs-header
Syntaxeai-xattrs-header = header-name[,header-name...]
Description
Specifies a comma-delimited list of header names. WebSEAL examines the responsefor headers with the specified names and creates extended attributes using thename of the header as the attribute name and the value of the header as theattribute value.
For example, if the following headers are returned in the HTTP response:am-eai-xattrs: creditcardexpiry, streetaddresscreditcardexpiry: 090812streetaddress: 555 homewood lane
WebSEAL will:1. Examine the am-eai-xattrs header2. Detect two headers to look for in the response3. Find those headers and their values4. Add the two specified attributes to the credential
Options
header-name[,header-name...]One or more (comma delimited) header names that are added to thecredential as extended attributes.
Stanza reference 71
Usage
This stanza entry is optional.
Default value
am-eai-xattrs
Exampleeai-xattrs-header = am-eai-xattrs
retain-eai-session
Syntaxretain-eai-session = {yes|no}
Description
Specifies whether the existing session and session cache entry for a client areretained or replaced when an already-authenticated EAI client authenticatesthrough an EAI a second time.
Options
yes If an already-authenticated EAI client authenticates through an EAI asecond time, the existing session and session cache entry for the client areretained, and the new credential is stored in the existing cache entry.
no If an already-authenticated EAI client authenticates through an EAI asecond time, the existing session and session cache entry for the client arecompletely replaced and the new credential is stored in the new cacheentry.
Usage
This stanza entry is required.
Default value
no
Exampleretain-eai-session = no
[eai-trigger-urls] stanza
trigger
Syntaxtrigger = url-pattern
Description
Format for standard WebSEAL junctions. Specifies the trigger URL that causesWebSEAL to set a special flag on the request. Responses to this request also
72 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
contain the flag, which causes WebSEAL to intercept and examine the response forauthentication data located in special HTTP headers.
Options
url-patternThe trigger URL (format for standard WebSEAL junctions) that causesWebSEAL to set a special flag on the request.
Usage
There must be at least one entry when eai-auth is not "none".
Default value
None.
Exampletrigger = /jct/cgi-bin/eaitest/*
trigger
Syntaxtrigger = HTTP[S]://virtual-host-name[:port_number]/url-pattern
Description
Format for virtual host junctions. Specifies the trigger URL that causes WebSEAL toset a special flag on the request. Responses to this request also contain the flag,which causes WebSEAL to intercept and examine the response for authenticationdata located in special HTTP headers.
For virtual host junctions to match a trigger, they must use the same protocol andthe same virtual-host-name and port number as the trigger.
Options
HTTP[S]://virtual-host-name[:port_number]/url-patternThe trigger URL (format for virtual host junctions) that causes WebSEAL toset a special flag on the request.
Usage
There must be at least one entry when eai-auth is not "none".
Default value
None.
Exampletrigger = HTTPS://vhost1.example.com:4344/jct/cgi-bin/eaitest/*
Stanza reference 73
[e-community-domains] stanza
name
Syntaxname = domain
Description
The e-community cookie domains used by virtual host junctions. The domain usedby a particular virtual host junction is chosen by finding the longest domain in thetable that matches the virtual host name. Each of these domains must also have acorresponding table of keys defined by creating a stanza of the format[e-community-domain-keys:domain].
Options
domain The e-community cookie domain used by virtual host junctions.
Usage
This stanza entry is optional.
Default value
None.
Example
name = www.example.com
[e-community-domain-keys] stanza
domain_name
Syntaxdomain_name = key_file
Description
File names for keys for any domains that are participating in the e-community.This includes the domain in which the WebSEAL server is running. These areshared on a pair-wise-by-domain basis.
Options
domain_nameA domain that is participating in the e-community.
key_fileFile name for key for any domain that is participating in the e-community.
Usage
This stanza entry is optional.
74 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
None.
Exampleecssoserver.subnet.example.com = ecsso.key
[e-community-domain-keys:domain] stanza
domain_name
Syntaxdomain_name = key_file
Description
Keys for any domains that are participating in the e-community, including thedomain in which the virtual host junction is running. These are shared on apair-wise-by-domain basis.
Options
domain_nameDomain that is participating in the e-community, including the domain inwhich the virtual host junction is running.
key_fileKey for any domain that is participating in the e-community, including thedomain in which the virtual host junction is running.
Usage
This stanza entry is optional.
Default value
None.
Example[e-community-domain-keys:www.example.com]ecssoserver.subnet.example.com = ecsso.key
[e-community-sso] stanza
cache-requests-for-ecsso
Syntaxcache-requests-for-ecsso = {yes|no}
Description
Specifies whether or not to cache request data from an unauthenticated requestwhile the e-community master authentication server (MAS) authenticates the user.
Stanza reference 75
Options
yes If an unauthenticated request is made, the request data is cached while thee-community master authentication server (MAS) authenticates the user.
no If an unauthenticated request is made, the request data is not cached whilethe e-community master authentication server (MAS) authenticates theuser. The original request data will be lost.
Usage
This stanza entry is required.
Default value
yes
Examplecache-requests-for-ecsso = yes
e-community-name
Syntaxe-community-name = name
Description
String value that specifies an e-community name. When e-community singlesignon is supported, this name must match any vouch-for tokens or e-communitycookies that are received.
Options
name String value that specifies an e-community name. The string must notcontain the equals sign ( = ) or ampersand ( & ).
Usage
This stanza entry is optional.
Default value
None.
Examplee-community-name = company1
disable-ec-cookie
Syntaxdisable-ec-cookie = {yes|no}
Description
Provides an option to override default e-Community Single Sign-On (eCSSO)behavior and prohibit WebSEAL from using e-community-cookies.
76 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes Prohibits WebSEAL from using the e-community-cookie; only the masterauthentication server (MAS) will be permitted to generate vouch-fortokens.
no The default eCSSO behavior in WebSEAL is left unchanged.
Usage
This stanza entry is optional.
Default value
no
Exampledisable-ec-cookie = no
e-community-sso-auth
Syntaxe-community-sso-auth = {none|http|https|both}
Description
Enables participation in e-community single signon.
Options
{none|http|https|both}Specifies which protocols are supported. The value both means both HTTPand HTTPS.
Usage
This stanza entry is required.
Default value
none
Examplee-community-sso-auth = none
ec-cookie-domain
Syntaxec-cookie-domain = domain
Description
If not set, WebSEAL uses the domain from the automatically determined host name(or web-host-name if specified).
Stanza reference 77
Options
domain If not set, WebSEAL uses the domain from the automatically determinedhost name (or web-host-name if specified).
Usage
If not set, WebSEAL uses the domain from the automatically determined host name(or web-host-name if specified).
Default value
None.
Exampleec-cookie-domain = www.example.com
ec-cookie-lifetime
Syntaxec-cookie-lifetime = number_of_minutes
Description
Positive integer value indicating the lifetime of an e-community cookie.
Options
number_of_minutesPositive integer value indicating the lifetime, in minutes, of ane-community cookie. Minimum value is 1. There is no maximum value.
Usage
This stanza entry is required.
Default value
300
Exampleec-cookie-lifetime = 300
ecsso-allow-unauth
Syntaxecsso-allow-unauth = {yes|no}
Description
Enables or disables unauthenticated access to unprotected resources on ane-community SSO slave server.
Options
yes The value yes enables unauthenticated access.
78 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
no The value no disables access. For compatibility with versions of WebSEALprior to version 5.1 set this value to no.
Usage
This stanza entry is required.
Default value
yes
Exampleecsso-allow-unauth = yes
ecsso-propagate-errors
Syntaxecsso-propagate-errors = {yes|no}
Description
Specifies whether authentication errors returned by the master-authn-server invouch-for tokens are propagated to the ERROR_CODE and ERROR_TEXT macrosused by facilities such as local response redirect.
Options
yes Authentication errors are propagated to ERROR_CODE and ERROR_TEXTmacros.
no Authentication errors are not propagated to ERROR_CODE andERROR_TEXT macros.
Usage
This stanza entry is required.
Default value
no
Exampleecsso-propagate-errors = no
handle-auth-failure-at-mas
Syntaxhandle-auth-failure-at-mas = {yes|no}
Description
Provides an option to override default eCSSO behavior and allow the MAS tohandle login failures without redirecting the Web browser back to the requestinghost.
Stanza reference 79
Options
yes Enables the MAS to handle login failures directly without redirecting theWeb browser back to the requesting host.
no The default eCSSO behavior in WebSEAL is left unchanged. On a loginfailure, the MAS will generate a vouch-for token and redirect the Webbrowser back to the requesting host.
Usage
This stanza entry is optional.
Default value
no
Examplehandle-auth-failure-at-mas = no
is-master-authn-server
Syntaxis-master-authn-server = {yes|no}
Description
Specifies whether this WebSEAL server accepts vouch-for requests from otherWebSEAL instances. The WebSEAL instances must have domain keys listed in the[e-community-domain-keys] stanza.
Options
yes This WebSEAL server accepts vouch-for requests from other WebSEALinstances. When this value is yes, this WebSEAL server is the masterauthentication server.
no This WebSEAL server does not accept vouch-for requests from otherWebSEAL instances.
Usage
This stanza entry is optional.
Default value
None.
Exampleis-master-authn-server = no
master-authn-server
Syntaxmaster-authn-server = fully_qualified_hostname
80 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Location of the master authentication server. This value must be specified whenis-master-authn-server is set to no. If a local domain login has not been performedthen authentication attempts are routed through the master machine. The mastermachine will vouch for the user identity. The domain key for themaster-authn-server needs to be listed in the [e-community-domain-keys] stanza.
Options
fully_qualified_hostnameLocation of the master authentication server.
Usage
This stanza entry is optional.
Default value
None.
Examplemaster-authn-server = diamond.dev.example.com
master-http-port
Syntaxmaster-http-port = port_number
Description
Integer value specifying the port number on which the master-authn-server listensfor HTTP request. The setting is necessary when e-community-sso-auth permitsuse of the HTTP protocol, and the master-authn-server listens for HTTP requestson a port other than the standard HTTP port (port 80). This stanza entry is ignoredif this WebSEAL server is the master authentication server.
Options
port_numberInteger value specifying the port number on which themaster-authn-server listens for HTTP request.
Usage
This stanza entry is optional.
Default value
None.
Examplemaster-http-port = 81
Stanza reference 81
master-https-port
Syntaxmaster-https-port = port_number
Description
Integer value specifying the port number on which the master-authn-server listensfor HTTPS requests. The setting is necessary when e-community-sso-auth permitsuse of the HTTPS protocol, and the master-authn-server listens for HTTPS requestson a port other than the standard HTTPS port (port 443). This stanza entry isignored if this WebSEAL server is the master authentication server.
Options
port_numberInteger value specifying the port number on which themaster-authn-server listens for HTTPS requests.
Usage
This stanza entry is optional.
Default value
None.
Examplemaster-https-port = 444
propagate-cdmf-errors
Syntaxpropagate-cdmf-errors = {yes|no}
Description
Controls subsequent behavior of the token creation process when thecdmf_get_usr_attributes call fails to obtain the required extended attributeinformation and returns an error.
Options
yes A "yes" value forces the token creation process to abort when CDMF failsto obtain attributes and returns an error.
no A "no" value (default) allows the token creation process to proceed evenwhen CDMF fails to obtain attributes and returns an error.
Usage
This stanza entry is required.
Default value
no
82 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Examplepropagate-cdmf-errors = no
use-utf8
Syntaxuse-utf8 = {yes|no}
Description
Use UTF–8 encoding for tokens used in e-community single signon.
Options
yes Beginning with version 5.1, WebSEAL servers use UTF-8 encoding bydefault. When this stanza entry is set to yes, tokens can be exchanged withother WebSEAL servers that use UTF-8 encoding. This enables tokens toused across different code pages (such as for a different language).
no For backward compatibility with tokens created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to no.
Usage
This stanza entry is required.
Default value
yes
Exampleuse-utf8 = yes
vf-argument
Syntaxvf-argument = vouch-for_token_name
Description
String value containing the name of the vouch-for token contained in a vouch-forreply. This is used to construct the vouch-for replies by the master authenticationserver, and to distinguish incoming requests as ones with vouch-for information byparticipating e-community single signon servers.
Options
vouch-for_token_nameValid characters for the string are ASCII characters except for ampersand (& ), equals sign ( = ), and question mark ( ? ).
Usage
This stanza entry is optional.
Stanza reference 83
Default value
PD-VF
Examplevf-argument = PD-VF
vf-token-lifetime
Syntaxvf-token-lifetime = number_of_seconds
Description
Positive integer indicating the lifetime, in seconds, of the vouch-for token. This isset to account for clock skew between participant servers.
Options
number_of_secondsPositive integer indicating the lifetime, in seconds, of the vouch-for token.The minimum value is 1 second. There is no maximum value.
Usage
This stanza entry is optional.
Default value
180
Examplevf-token-lifetime = 180
vf-url
Syntaxvf-url = URL_designation
Description
Designator for vouch-for URL. This specifies the start of a URL relative to theserver root. This is used to construct vouch-for requests for participatinge-community single signon servers, and to distinguish requests for vouch-forinformation from other requests by the master authentication server.
Options
URL_designationThe URL_designation string can contain alphanumeric characters and thefollowing special characters: dollar sign ( $ ), hyphen ( - ), underscore ( _ ),period ( . ), plus sign ( + ), exclamation point ( ! ), asterisk ( * ), singlequote ( ' ), parentheses " ( ) " and comma ( , ). Questions marks ( ? ) arenot allowed.
84 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is optional.
Default value
When the stanza entry is not present in the configuration file, the default value is/pkmsvouchfor.
Examplevf-url = /pkmsvouchfor
[ecsso-incoming-attributes] stanza
attribute_pattern
Syntaxattribute_pattern = {preserve|refresh}
Description
Extended attributes to extract from incoming eCSSO authentication tokens.
The attributes typically match those declared in the [cdsso-token-attributes] stanzafor the WebSEAL server in the source domain.
The attribute_pattern can be either a specific value or can be a pattern that usesstandard Security Access Manager wildcard characters ( *, [], ^, \, ?).
The order of attribute_pattern entries is important. The first entry that matches theattribute is used. Other entries are ignored.
Options
preserveAttributes in eCSSO vouch-for tokens that match a "preserve" entry, ormatching none of the entires, are kept. If no entries are configured, then allattributes are kept.
refreshAttributes in eCSSO vouch-for tokens that match a "refresh" entry areremoved from the token before the CDMF library is called to map theremote user into the local domain.
Usage
This stanza entry is optional.
Default value
None.
Examplemy_cred_attr1 = preserve
Stanza reference 85
[ecsso-token-attributes] stanza
<default>
Syntax<default> = pattern1[<default> = pattern2]...[<default> = patternN]
Description
Credential attributes to include in eCSSO authentication tokens. When WebSEALcannot find a domain_name entry to match the domain, the entries in "<default>"are used. The word <default> is a key word and must not be modified.
Options
pattern The pattern can either be a specific value or a pattern that uses standardSecurity Access Manager wildcard characters ( *, [], ^, \, ?).
Usage
This stanza entry is optional.
Default value
None.
Example<default> = my_cdas_attr_*
domain_name
Syntaxdomain_name = pattern1[domain_name = pattern2]...[domain_name = patternN]
Description
Credential attributes to include in eCSSO authentication tokens.
Options
domain_nameThe domain_name specifies the destination domain containing the serverthat will consume the token.
pattern The pattern for each entry can either a specific value or can be a patternthat uses standard Security Access Manager wildcard characters ( *, [], ^, \,?).
Usage
This stanza entry is optional.
86 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
None.
Exampleexample1.com = my_cdas_attr_*example1.com = some_exact_attribute
[enable-redirects] stanza
redirect
Syntaxredirect = {forms-auth|basic-auth|cert-auth|ext-auth-interface}
Description
Enables redirection for use with one or more authentication mechanism.
Options
{forms-auth|basic-auth|cert-auth|ext-auth-interface}Redirection is supported for:v Forms authenticationv Basic authenticationv Certificate authenticationv External authentication interface
The configuration file must contain a separate entry for each authenticationmechanism for which redirection is enabled.
Usage
This stanza entry is optional.
Default value
None.
Example
Example entries that enables redirection for forms authentication and basicauthentication:redirect = forms-authredirect = basic-auth
[failover] stanza
clean-ecsso-urls-for-failover
Syntaxclean-ecsso-urls-for-failover = {yes|no}
Stanza reference 87
Description
You can enable Failover Authentication and eCSSO in your environment. Duringfailover authentication, if a user was originally authenticated using eCSSO,WebSEAL updates the URL that it sends to the back-end server. WebSEAL sendsPD-VFHOST and PD-VF tokens as query arguments, along with the original URL.
Use the clean-ecsso-urls-for-failover configuration entry to control whetherthese tokens are removed from the URL.
Options
yes The query arguments that contain the PD-VFHOST and PD-VF tokens areremoved from the URL.
no The query arguments that contain the PD-VFHOST and PD-VF tokens arenot removed from the URL.
Usage
This stanza entry is optional.
Default value
no
Exampleclean-ecsso-urls-for-failover = no
enable-failover-cookie-for-domain
Syntaxenable-failover-cookie-for-domain = {yes|no}
Description
Enables the failover cookie for the domain.
Options
yes Enables the failover cookie for the domain.
no Disables the failover cookie for the domain.
Usage
This stanza entry is required.
Default value
no
Exampleenable-failover-cookie-for-domain = no
88 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
failover-auth
Syntaxfailover-auth = {none|http|https|both}
Description
Enables WebSEAL to accept failover cookies.
Options
{none|http|https|both}Specifies which protocols are supported. The value both means both HTTPand HTTPS.
Usage
This stanza entry is required.
Default value
none
Examplefailover-auth = none
failover-cookie-lifetime
Syntaxfailover-cookie-lifetime = number_of_minutes
Description
An integer value specifying the number of minutes that failover cookie contentsare valid.
Options
number_of_minutesAn integer value specifying the number of minutes that failover cookiecontents are valid. Must be a positive integer. There is no maximum value.
Usage
This stanza entry is required.
Default value
60
Examplefailover-cookie-lifetime = 60
Stanza reference 89
failover-cookies-keyfile
Syntaxfailover-cookies-keyfile = file_name
Description
A key file for failover cookie encryption. Use the SSO Keys management page ofthe LMI to generate this file.
Options
file_nameName of the key file for failover cookie encryption.
Usage
This stanza entry is optional.
Default value
None.
Examplefailover-cookies-keyfile = failover.key
failover-include-session-id
Syntaxfailover-include-session-id = {yes|no}
Description
Enable or disable WebSEAL to reuse a client's original session ID to improvefailover authentication response and performance in a non-sticky load-balancingenvironment. WebSEAL reuses the original session ID by storing the ID as anextended attribute to the failover cookie.
Options
yes Enable WebSEAL to reuse a client's original session ID to improve failoverauthentication response and performance in a non-sticky load-balancingenvironment.
no Disable WebSEAL to reuse a client's original session ID to improve failoverauthentication response and performance in a non-sticky load-balancingenvironment.
Usage
This stanza entry is required.
Default value
no
90 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Examplefailover-include-session-id = no
failover-require-activity-timestamp-validation
Syntaxfailover-require-activity-timestamp-validation = {yes|no}
Description
Enables or disables the requirement of a session activity timestamp validation inthe failover cookie.
Options
yes Enables the requirement of a session activity timestamp validation in thefailover cookie.
no Disables the requirement of a session activity timestamp validation in thefailover cookie. For backward compatibility with versions of WebSEALserver prior to version 5.1, set this stanza entry to no. Versions prior toversion 5.1 did not create the session activity timestamp in the failovercookie.
Usage
This stanza entry is required.
Default value
no
Examplefailover-require-activity-timestamp-validation = no
failover-require-lifetime-timestamp-validation
Syntaxfailover-require-lifetime-timestamp-validation = {yes|no}
Description
Enables or disables the requirement of a session lifetime timestamp validation inthe failover cookie.
Options
yes Enables the requirement of a session lifetime timestamp validation in thefailover cookie.
no Disables the requirement of a session lifetime timestamp validation in thefailover cookie. For backward compatibility with versions of WebSEALserver prior to version 5.1, set this stanza entry to no. Versions prior toversion 5.1 did not create the session lifetime timestamp in the failovercookie.
Stanza reference 91
Usage
This stanza entry is required.
Default value
no
Examplefailover-require-lifetime-timestamp-validation = no
failover-update-cookie
Syntaxfailover-update-cookie = number_of_seconds
Description
The maximum interval, in number of seconds, allowed between updates of thesession activity timestamp in the failover cookies. The value is an integer. Whenthe server receives a request, if the number of seconds specified for this parameterhas passed, the session activity timestamp is updated.
Options
number_of_secondsWhen the value is 0, the session activity timestamp is updated on everyrequest. When the value is less than zero (negative number), the sessionactivity timestamp is never updated. There is no maximum value.
Usage
This stanza entry is required.
Default value
-1
Examplefailover-cookie-update = 60
reissue-missing-failover-cookie
Syntaxreissue-missing-failover-cookie = {yes|no}
Description
Allows WebSEAL to reissue a cached original failover cookie in the response to aclient, if the client makes a request that does not include the failover cookie.
Options
yes Enables the failover cookie reissue mechanism.
no Disables the failover cookie reissue mechanism.
92 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
no
Examplereissue-missing-failover-cookie = no
use-utf8
Syntaxuse-utf8 = {yes|no}
Description
Use UTF–8 encoding for strings in the failover authentication cookie.
Options
yes Beginning with version 5.1, WebSEAL servers use UTF-8 encoding bydefault. When this stanza entry is set to yes, cookies can be exchangedwith other WebSEAL servers that use UTF-8 encoding. This enables cookiesto used across different code pages (such as for a different language).
no For backward compatibility with cookies created by WebSEAL servers fromversion prior to 5.1, set this stanza entry to no.
Usage
This stanza entry is required.
Default value
yes
Exampleuse-utf8 = yes
[failover-add-attributes] stanza
attribute_pattern
Syntaxattribute_pattern = add
Description
List of attributes from the original credential that must be preserved in the failovercookie.
The order of entries in the stanza is important. Rules (patterns) that appear earlierin the stanza take precedence over those that appear later in the stanza. Attributes
Stanza reference 93
that do not match any pattern will not be added to the failover cookie.
Options
attribute_patternThe attribute pattern is a not case-sensitive wildcard pattern.
add Add attribute.
Usage
Entries in this stanza are optional.
Default value
There are no default entries in this stanza. However, the attributesAUTHENTICATION_LEVEL and AZN_CRED_AUTH_METHOD are added to the failover cookieby default. These attributes do not need to be included in the configuration stanza.
Exampletagvalue_failover_amweb_session_id = add
session-activity-timestamp
Syntaxsession-activity-timestamp = add
Description
This entry specifies that the timestamp for the last user activity be taken from thefailover cookie and added to the new session on the replicated server.
This attribute cannot be specified by pattern matching. This entry must be addedexactly as it is written.
Options
add Add attribute.
Usage
This stanza entry is optional and must be manually added to the configuration file.
Default value
None.
Examplesession-activity-timestamp = add
session-lifetime-timestamp
Syntaxsession-lifetime-timestamp = add
94 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
This entry specifies that the timestamp for creation of the original session be takenfrom the failover cookie and added to the new session on the replicated server.
This attribute cannot be specified by pattern matching. This entry must be addedexactly as it is written.
Options
add Add attribute.
Usage
This stanza entry is optional and must be manually added to the configuration file.
Default value
None.
Examplesession-lifetime-timestamp = add
[failover-restore-attributes] stanza
attribute_pattern
Syntaxattribute_pattern = preserve
Description
List of attributes to put in the new credential when recreating a credential from afailover cookie.
The order of entries in the stanza is important. Rules (patterns) that appear earlierin the stanza take precedence over those that appear later in the stanza. Attributesthat do not match any pattern will not be added to the credential.
Options
attribute_patternThe attribute pattern is a not case-sensitive wildcard pattern.
preserveWhen WebSEAL recreates a credential, all failover cookie attributes areignored unless specified by an entry with the value preserve.
Usage
Entries in this stanza are optional.
Default value
None.
Stanza reference 95
Exampletagvalue_failover_amweb_session_id = preserve
attribute_pattern
Syntaxattribute_pattern = refresh
Description
A list of failover cookie attributes to omit from the recreated user credential.
This list is not needed in all configurations. The default behavior when recreating auser credential is to omit all attributes that are not specified with a value ofpreserve. In some cases it might be necessary to specify an exception to a wildcardpattern matching, to ensure that a specific attribute gets refreshed, not preserved.This specification might be necessary, for example, when using a custom externalauthentication C API module.
The order of entries in the stanza is important. Rules (patterns) that appear earlierin the stanza take precedence over those that appear later in the stanza. Attributesthat do not match any pattern will not be added to the credential.
Options
attribute_patternThe attribute pattern is a not case-sensitive wildcard pattern.
refreshSpecifies an exception to a wildcard pattern matching, to ensure that aspecific attribute gets refreshed, not preserved.
Usage
Entries in this stanza are optional.
Default value
None.
Exampletagvalue_failover_amweb_session_id = refresh
[filter-content-types] stanza
type
Syntaxtype = type_name
Description
List of entries that specify MIME types to be filtered by WebSEAL when receivedfrom junctioned servers.
96 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Administrators can add additional MIME types that refer to a document thatcontains HTML or HTML-like content.
Options
type_nameMIME type.
Usage
This list of stanza entries is required.
Default value
Do not remove the default entries.type = text/htmltype = text/vnd.wap.wml
Exampletype = text/htmltype = text/vnd.wap.wml
[filter-events] stanza
HTML_tag
SyntaxHTML_tag = event_handler
Description
List of HTML tags used by WebSEAL to identify and filter absolute URLsembedded in JavaScript. JavaScript allows HTML tags to contain event handlers thatare invoked when certain events occur. For example, the HTML tag:<form onsubmit="javascript:doSomething()">
causes the JavaScript function doSomething() to be called when the form issubmitted.
The entries in this stanza are used to identify HTML tags that may containJavaScript code. When such a tag is discovered, WebSEAL searches the tag to filterany absolute URLs embedded in the JavaScript. For example, if the "formonsubmit" example looked like:<form onsubmit="javaScript:doSomething(’http://junction.server.com’)">
WebSEAL HTML filtering would modify the tag to look like:<form onsubmit="javaScript:doSomething(’/junction’)">
Administrators can add additional entries when necessary. New entries mustconsist of valid HTML tags that are built into JavaScript. When adding newentries, maintain alphabetical order.
Stanza reference 97
Options
HTML_tagHTML tag.
event_handlerJavaScript event handler.
Usage
This list is required. Although not all tags are required by all applications, theunused tags do no harm. Leave the default entries in this list.
Default value
Default HTML tags and event handlers:A = ONCLICKA = ONDBLCLICKA = ONMOUSEDOWNA = ONMOUSEOUTA = ONMOUSEOVERA = ONMOUSEUPAREA = ONCLICKAREA = ONMOUSEOUTAREA = ONMOUSEOVERBODY = ONBLURBODY = ONCLICKBODY = ONDRAGDROPBODY = ONFOCUSBODY = ONKEYDOWNBODY = ONKEYPRESSBODY = ONKEYUPBODY = ONLOADBODY = ONMOUSEDOWNBODY = ONMOUSEUPBODY = ONMOVEBODY = ONRESIZEBODY = ONUNLOADFORM = ONRESETFORM = ONSUBMITFRAME = ONBLURFRAME = ONDRAGDROPFRAME = ONFOCUSFRAME = ONLOADFRAME = ONMOVE
FRAME = ONRESIZEFRAME = ONUNLOADIMG = ONABORTIMG = ONERRORIMG = ONLOADINPUT = ONBLURINPUT = ONCHANGEINPUT = ONCLICKINPUT = ONFOCUSINPUT = ONKEYDOWNINPUT = ONKEYPRESSINPUT = ONKEYUPINPUT = ONMOUSEDOWNINPUT = ONMOUSEUPINPUT = ONSELECTLAYER = ONBLURLAYER = ONLOADLAYER = ONMOUSEOUTLAYER = ONMOUSEOVER
98 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
SELECT = ONBLURSELECT = ONCHANGESELECT = ONFOCUSTEXTAREA = ONBLURTEXTAREA = ONCHANGETEXTAREA = ONFOCUSTEXTAREA = ONKEYDOWNTEXTAREA = ONKEYPRESSTEXTAREA = ONKEYUPTEXTAREA = ONSELECT
ExampleIMG = ONABORT
[filter-request-headers] stanza
header
Syntaxheader = header_name
Description
List of HTTP headers that WebSEAL filters before sending the request to ajunctioned server. A default list is built-in to WebSEAL. The default entries are notincluded in the configuration file.
The addition of new entries in this stanza is optional. For example, anadministrator could add the accept-encoding header. This would instructWebSEAL to remove any accept-encoding headers from requests before forwardingthe request to the junction. The removal of the accept-encoding header wouldcause the junction server to return the document in an unencoded form, allowingWebSEAL to filter the document if necessary.
New entries must consist of valid HTTP headers.
Options
header_nameHTTP header name.
Usage
The addition of new entries in this stanza is optional.
Default value
Default built-in header list:hostconnectionproxy-connectionexpectteiv-ssl-jctiv-useriv_useriv-groupsiv_groups
Stanza reference 99
iv-credsiv_credsiv_remote_addressiv-remote-address
Exampleheader = accept-encoding
[filter-schemes] stanza
scheme
Syntaxscheme = scheme_name
Description
List of URL schemes that are not to be filtered by WebSEAL. A scheme is a protocolidentifier.
This list is utilized when WebSEAL encounters a document containing a base URL.For example:<head><base href="http://www.foo.com"></head><a href="mailto:[email protected]>Send me mail",/a>
WebSEAL identifies the scheme mailto because this scheme is included by defaultin the [filter-schemes] stanza. If mailto was not identified as a scheme, WebSEALwould interpret it as document and perform normal filtering. WebSEAL wouldthen rewrite the link as:<a href="http://www.foo.com/mailto:[email protected]"
This would be incorrect.
Options
scheme_nameScheme name.
Usage
WebSEAL provides a set of default schemes. The administrator can extend the listif additional protocols are used. Do not delete entries from the list.
Default value
Default list entries:scheme = filescheme = ftpscheme = httpsscheme = mailtoscheme = newsscheme = telnet
100 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Examplescheme = telnet
[filter-url] stanza
HTML_tag
SyntaxHTML_tag = URL_attribute
Description
List of URL attributes that WebSEAL server filters in responses from junctionedservers.
Administrators can add additional entries when necessary. New entries mustconsist of valid HTML tags and attributes. When adding new entries, maintainalphabetical order.
Options
URL_attributeURL attribute.
Usage
This list is required. Although not all tags are required by all applications, theunused tags do no harm. Leave the default entries in this list.
Default value
Default HTML tags and attributes:A = HREFAPPLET = CODEBASEAREA = HREFBASE = HREFBGSOUND = SRCBLOCKQUOTE = CITEBODY = BACKGROUNDDEL = CITEDIV = EMPTYURLDIV = IMAGEPATHDIV = URLDIV = VIEWCLASSEMBED = PLUGINSPAGEEMBED = SRCFORM = ACTIONFRAME = LONGDESCFRAME = SRCHEAD = PROFILEIFRAME = LONGDESCIFRAME = SRCILAYER = BACKGROUNDILAYER = SRCIMG = SRCIMG = LOWSRCIMG = LONGDESCIMG = USEMAPIMG = DYNSRC
Stanza reference 101
INPUT = SRCINPUT = USEMAPINS = CITEISINDEX = ACTIONISINDEX = HREFLAYER = BACKGROUNDLAYER = SRCLINK = HREFLINK = SRCOBJECT = CODEBASEOBJECT = DATAOBJECT = USEMAPQ = CITESCRIPT = SRCTABLE = BACKGROUNDTD = BACKGROUNDTH = BACKGROUNDTR = BACKGROUNDWM:CALENDARPICKER = FOLDERURLWM:CALENDARPICKER = IMAGEPREVARROWWM:CALENDARPICKER = IMAGENEXTARROWWM:CALENDARVIEW = FOLDERURLWM:MESSAGE = DRAFTSURLWM:MESSAGE = URLWM:NOTIFY = FOLDERWM:REMINDER = FOLDER?IMPORT = IMPLEMENTATION
ExampleIMG = SRC
[flow-data] stanza
flow-data-enabledSyntaxflow-data-enabled = {yes|no}
Description
The appliance can record statistical information about incoming WebSEAL requests.Use this parameter to enable or disable the recording of flow data statistics.
If you set this parameter to yes, you can also use the flow-data-stats-intervalparameter in the [flow-data] stanza to set the frequency for gathering statistics.
Note: You can configure the [user-agent] stanza to categorize the incominguser-agent requests and make the statistical data more useful. You can then view astatistical breakdown of all requests based on user-agent and junction.
Options
yes WebSEAL records statistics about incoming requests.
no WebSEAL does not record statistics about incoming requests.
Usage
This stanza entry is optional.
102 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
yes
Exampleflow-data-enabled = yes
flow-data-stats-intervalSyntaxflow-data-stats-interval = number_of_seconds
Description
This parameter determines how frequently the appliance collects flow datastatistics. This parameter specifies the statistics interval in seconds. At each timeinterval, WebSEAL records statistical information about incoming requests. Thedefault value of 600 records statistics every 10 minutes.
To gather statistics at the specified interval, you must use the flow-data-enabledparameter, also in the [flow-data] stanza, to enable the flow data statistics on theappliance.
Note: You can configure the [user-agent] stanza to categorize the incominguser-agent requests and make the statistical data more meaningful. You can thenview a statistical breakdown of all requests based on user-agent and junction.
Options
number_of_secondsSpecifies the interval that the appliance uses to collect flow data statistics.
Usage
This stanza entry is optional.
Default value
600
Exampleflow-data-stats-interval = 600
[forms] stanza
allow-empty-form-fields
Syntaxallow-empty-form-fields = {true|false}
Description
If a forms login request is received with either an empty user name or an emptypassword, then WebSEAL returns the login form without stating an error. If youprefer that an error message is displayed with the returned login form, then set
Stanza reference 103
this value to "true". In this case, WebSEAL attempts to authenticate the user, and ifthe values have zero length, the registry returns the appropriate error.
Options
true Error message is displayed with the returned login form.
false Error message is not displayed with the returned login form.
Usage
This stanza entry is required.
Default value
false
Exampleallow-empty-form-fields = false
forms-auth
Syntaxforms-auth = {none|http|https|both}
Description
Enables authentication using the Forms Authentication mechanism.
When forms authentication is enabled, you must also configure an appropriateauthentication library by setting a key=value pair in the [authentication-mechanisms] stanza.
Options
{none|http|https|both}Specifies which protocols are supported. The value both means both HTTPand HTTPS.
Usage
This stanza entry is required.
Default value
none
Exampleforms-auth = none
104 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[gso-cache] stanza
gso-cache-enabled
Syntaxgso-cache-enabled = {yes|no}
Description
Enables or disables the Global Signon (GSO) cache.
Options
yes Enables the Global Signon (GSO) cache.
no Disables the Global Signon (GSO) cache.
Usage
This stanza entry is required.
Default value
no
Examplegso-cache-enabled = no
gso-cache-entry-idle-timeout
Syntaxgso-cache-entry-idle-timeout = number_of_seconds
Description
Integer value that specifies the timeout, in seconds, for cache entries that are idle.
Options
number_of_secondsThe value must be greater than or equal to zero (0). A value of 0 meansthat entries are not removed from the GSO cache due to inactivity.However, they may still be removed due to either the gso-cache-size beingexceeded or the gso-cache-entry-lifetime stanza entry being exceeded.WebSEAL does not impose a maximum value.
Usage
This stanza entry is required, but is ignored when GSO caching is disabled.
Default value
120
Stanza reference 105
Examplegso-cache-entry-idle-timeout = 120
gso-cache-entry-lifetime
Syntaxgso-cache-entry-lifetime = number_of_seconds
Description
Integer value that specifies the lifetime, in seconds, of a GSO cache entry.
Options
number_of_secondsThe value must be greater than or equal to zero (0). A value of 0 meansthat entries are not removed from the GSO cache due to their entry lifetimebeing exceeded. However, they may still be removed due to either thegso-cache-size being exceeded or the gso-cache-entry-idle-timeout stanzaentry being exceeded. WebSEAL does not impose a maximum value.
Usage
This stanza entry is required, but is ignored when GSO caching is disabled.
Default value
900
Examplegso-cache-entry-lifetime = 900
gso-cache-size
Syntaxgso-cache-size = number_of_entries
Description
Integer value indicating the number of entries allowed in the GSO cache.
Options
number_of_entriesThe value must be greater than or equal to zero (0). Zero means that thereis no limit on the size of the GSO cache. This is not recommended.
WebSEAL does not impose a maximum value. Choose your maximumvalue to stay safely within the bounds of your available system memory.
Usage
This stanza entry is required, but is ignored when GSO caching is disabled.
106 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
1024
Examplegso-cache-size = 1024
[header-names] stanza
server-name
Syntaxserver-name = {iv_server_name|(no value)}
Description
Specifies the name of the HTTP header used to pass the name of the authorizationAPI administration server used with the server task command to junctionedapplications.
For example, when server-name = iv_server_name, and the WebSEAL instance isdefault-webseald-diamond.example.com, WebSEAL passes the following headerand value to the junction:iv_server_name:default-webseald-diamond.example.com
Options
iv_server_nameTypically, the default value iv_server_name is used. However, you canreplace it with any valid string. Valid strings are limited to the followingcharacters: [A-Z], [a-z], [0–9], hyphen ( - ), or underscore ( _ ).
(no value)WebSEAL accepts a blank value for server-name which can be used if thejunctioned application uses a hardcoded server name instead of obtainingit from the header.
Usage
This stanza entry is required.
Default value
iv_server_name
Exampleserver-name = iv_server_name
[http-transformations] stanza
resource-name
Syntaxresource-name = resource-file
Stanza reference 107
Description
Defines HTTP transformation resources. This configuration information isnecessary to support WebSEAL HTTP transformations. You can use WebSEALHTTP transformations to modify HTTP requests and HTTP responses (excludingthe HTTP body) using XSLT.
Note: To enable the HTTP transformations for a particular resource, attach a POPto the appropriate part of the object space. This POP must contain an extendedattribute with the name HTTPTransformation and one of the following values:v Request = resource-name
v Response = resource-name
For more details, see the information about HTTP transformations in the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.
Options
resource-nameThe name of the HTTP transformation resource.
resource-fileThe name of the resource file.
Note: You must restart WebSEAL for changes to an XSL rules file to takeeffect.
Usage
This stanza entry is optional.
Comments
If an HTTP transformation rule modifies the URI or host header of the request,WebSEAL reprocesses the transformed request. This reprocessing ensures that thetransformation does not bypass WebSEAL authorization. This behavior also meansthat administrators can define HTTP transformations rules to send requests todifferent junctions.
Note: WebSEAL performs reprocessing (and authorization) on the first HTTPtransformation only. Transformed requests undergo HTTP transformation again ifthere is an appropriate POP attached to the associated object space. However,WebSEAL does not reprocess the new requests that result from these subsequenttransformations.
Default value
None.
ExampleresourceOne = resourceOne.xsl
108 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[ICAP:<resource>] stanzaThe [ICAP:<resource>] stanza is used to define a single ICAP resource. The<resource> component of the stanza name must be changed to the actual name ofthe resource. To enable the ICAP resource for a particular object, a POP must beattached to the appropriate part of the object space. This POP must contain anextended attribute with the name ICAP, and a value that is equal to the name of theconfigured ICAP resource.
URL
SyntaxURL = URL string
Description
The complete URL on which the ICAP server is expecting requests.
Options
URL URL string
Usage
Required
Default value
None
ExampleURL = icap://icap.example.net:1344/filter?mode=strict
Note: In the example, icap is the protocol being used.
transaction
Syntaxtransaction = {req | rsp}
Description
The transaction for which the resource is invoked.
Options
req The ICAP server is invoked on the HTTP request.
rsp The ICAP server is invoked on the HTTP response.
Usage
Required
Stanza reference 109
Default value
None
Exampletransaction = req
timeout
Syntaxtimeout = seconds
Description
The maximum length of time (in seconds) that WebSEAL waits for a response fromthe ICAP server.
Options
timeoutThe time in seconds, that WebSEAL waits for a response from the ICAPserver.
Usage
Required
Default value
None
Exampletimeout = 120
[illegal-url-substrings] stanza
Note: The [illegal-url-substrings] feature is deprecated. IBM might remove thisfeature in a subsequent release of the product.
substring
Syntaxsubstring= string
Description
WebSEAL blocks HTTP requests containing any of the substrings specified by theseentries. Used to help mitigate the problems of cross-site scripting.
Options
string Character string.
110 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
<script
Examplesubstring = <scriptsubstring = <appletsubstring = <embed
[interfaces] stanza
interface_name
Syntaxinterface_name = property=value[;property=value...]
Description
This stanza is used to define additional interfaces on which this WebSEAL instancecan receive requests.
A network interface is defined as the combined set of values for a specific group ofproperties that include HTTP or HTTPS port setting, IP address, worker threadssetting, and certificate handling setting.
Options
propertyInterface property. Can be selected from:network-interface=<ipAddress>http-port=<port> | "disabled"https-port=<port> | "disabled"certificate-label=<keyFileLabel>accept-client-certs="never" | "required" | "optional" |"prompt_as_needed"worker-threads=<count> | "default"
value Value of the property. Default values, if not present, include:network-interface=0.0.0.0http-port ="disabled"https-port ="disabled"certificate-label= (Uses key marked as default in key file.)accept-client-certs="never"worker-threads="default"
Usage
Entries in this stanza are optional.
Default value
None.
Stanza reference 111
Example
(Entered as one line:)support = network-interface=9.0.0.8;https-port=444;certificate-label=WS6;worker-threads=16
[itim] stanza
This stanza contains the configuration options for the IBM Security IdentityManager Password Synchronization Plug-in. The Password SynchronizationPlug-in synchronizes user passwords from IBM Security Access Manager for Webto IBM Security Identity Manager, previously known as IBM Tivoli IdentityManager.
For more information about this plug-in, see the Password Synchronization Plug-infor IBM Security Access Manager Installation and Configuration Guide, which you canfind in the IBM Security Identity Manager Information Center:http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.isim.doc_6.0/ic-homepage.htm.
is-enabled
Syntaxis-enabled = {true|false}
Description
Determines whether the Password Synchronization Plug-in for IBM SecurityIdentity Manager, is enabled.
Options
true Enables the Password Synchronization Plug-in.
false Disables the Password Synchronization Plug-in.
Usage
This stanza entry is optional.
Default value
false
Exampleis-enabled = false
itim-server-name
Syntaxitim-server-name = <itim_server>
112 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Specifies the host name or IP address of the server that is running IBM SecurityIdentity Manager.
Note: In a WebSphere Application Server cluster environment, you must configureSSL for the IBM HTTP Server. In a WebSphere Application Server single-serverenvironment, you do not need to configure SSL for the IBM HTTP Server.
Options
<itim_server>Specifies the host name or IP address of the IBM Security Identity Managerserver that communicates with IBM Security Access Manager for Web.
Usage
This stanza entry is required when the is_enabled configuration entry in the[itim] stanza is set to true.
Default value
None.
Exampleitim-server-name = identityMgr01.ibm.com
itim-servlet-context
Syntaxitim-servlet-context = <directory_path>
Description
Indicates the password synchronization context root on the application server.
Options
<directory_path>Specifies the directory path for the password synchronization context rooton the application server.
Usage
This stanza entry is required when the is_enabled configuration entry in the[itim] stanza is set to true.
Default value
/passwordsynch/synch.
Exampleitim-servlet-context = /passwordsynch/synch
Stanza reference 113
keydatabase-file
Syntaxkeydatabase-file = <file_name>
Description
Specifies the name of the key database file.
Options
<file_name>The name of the key database file.
Usage
This stanza entry is required when the is_enabled configuration entry in the[itim] stanza is set to true.
Default value
None.
Examplekeydatabase-file = revpwdsync.kdb
keydatabase-password
Syntaxkeydatabase-password = <db_password>
Description
Specifies the password for the key database in the keydatabase-file.
Note: The IBM Security Web Gateway Appliance uses stash files to manage thepasswords for key files. As a result, key file passwords are not available to theadministrator of the appliance.
If you do not know the password for the key database file, you can use thekeydatabase-password-file entry to specify the name of the password stash fileinstead. If you configure the keydatabase-password-file entry, you can leave thekeydatabase-password entry unconfigured.
The Password Synchronization Plug-in requires knowledge of the databasepassword. Therefore, if you do not configure the keydatabase-password-file entry,you must configure the keydatabase-password entry. To complete thisconfiguration, follow this process:1. Create the key file externally to the appliance. Use a known password to
generate the new key file.2. Import the key file on to the appliance.3. Configure the keydatabase-password configuration entry with the known
password for the Password Synchronization Plug-in.
114 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
<db_password>Specifies the password for the key database file.
Usage
If the is_enabled configuration entry in the [itim] stanza is set to true, you mustset one of the following entries for the key database password:v keydatabase-password
v keydatabase-password-file
Note: If there is a value configured for both of these entries, WebSEAL uses thekeydatabase-password.
Default value
None.
Examplekeydatabase-password = myPassword1
keydatabase-password-file
Syntaxkeydatabase-password-file = <password_stash_file>
Description
Specifies the name of the stash file that stores the password for the key database.
Options
<password_stash_file>Specifies the name of the stash file that stores the password for the keydatabase.
Usage
If the is_enabled configuration entry in the [itim] stanza is set to true, you mustset one of the following entries for the key database password:v keydatabase-password
v keydatabase-password-file
Note: If there is a value configured for both of these entries, WebSEAL uses thekeydatabase-password.
Default value
None.
Examplekeydatabase-password-file = dbPassword.sth
Stanza reference 115
principal-name
Syntaxprincipal-name = <user_name>
Description
Specifies an IBM Security Identity Manager user ID that has the necessarypermissions to complete the check and synchronization operations.
Note: Do not use the ITIM manager account for this purpose. Create a separateaccount on the IBM Security Identity Manager server with the same permissions.
Options
<user_name>Specifies the name of the IBM Security Identity Manager user that thePassword Synchronization Plug-in can use to request synchronizationoperations.
Usage
This stanza entry is required when the is_enabled configuration entry in the[itim] stanza is set to true.
Default value
None.
Exampleprincipal-name = admin_userA
principal-password
Syntaxprincipal-password = <user_password>
Description
Specifies the password of the IBM Security Identity Manager user that is specifiedby principal-name.
Options
<user_password>Specifies the password for the IBM Security Identity Manager account.
Usage
This stanza entry is required when the is_enabled configuration entry in the[itim] stanza is set to true.
Default value
None.
116 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleprincipal-password = myPassword1
service-password-dn
Syntaxservice-password-dn = <service_pseudo_dn>
Description
Defines the pseudo–distinguished name of the service that issues the passwordsynchronization request.
The Password Synchronization Plug-in uses the service-password-dnpseudo-distinguished name for requests that use the standard passwordauthentication method. If this configuration entry is specified, it overridesservice-source-dn when using the password authentication method.
Note: You can specify more than one pseudo-distinguished name. Separate thepseudo-distinguished names with a semicolon (;) character. The PasswordSynchronization Plug-in iterates through the list of service names until it finds anaccount for one of the services. If the Password Synchronization Plug-in cannotfind an account for the specified services, it returns an error message.
Each pseudo-distinguished name is a comma-separated list of the followingattributes:v The erservicename attribute of the Security Access Manager service name, as
defined in IBM Security Identity Manager. For example, erservicename=TAM 6.0Service.
v The o attribute of the organization to which the service belongs. For example,o=International Business Machines.
v The ou and dc attributes from the service distinguished name in IBM SecurityIdentity Manager. For example, ou=IBM,dc=com.
The pseudo-distinguished name that is formed from these example values is:erservicename=TAM 6.0 Service,o=International Business Machines,ou=IBM,dc=com.
Options
<service_pseudo_dn>Specifies the service pseudo–distinguished name for the standard passwordauthentication method.
Usage
If the is_enabled configuration entry in the [itim] stanza is set to true, then youmust configure at least one of the following configuration entries:v service-source-dn
v service-password-dn
v service-token-card-dn
Default value
None.
Stanza reference 117
Exampleservice-password-dn = erservicename=ISAM Employees Service,o=IBM,ou=IBM,dc=com
service-source-dn
Syntaxservice-source-dn = <service_pseudo_dn>
Description
Defines the pseudo–distinguished name of the service that issues the passwordsynchronization request. The service-source-dn is for the pseudo-distinguishedname for all authentication methods.
Note: You can specify more than one pseudo-distinguished name in the value ofthis configuration entry. Separate the pseudo-distinguished names with asemicolon (;) character. The Password Synchronization Plug-in iterates through thelist of service names until it finds an account for one of the services. If thePassword Synchronization Plug-in cannot find an account for the specifiedservices, it returns an error message.
Each pseudo-distinguished name is a comma-separated list of the followingattributes:v The erservicename attribute of the Security Access Manager service name, as
defined in IBM Security Identity Manager. For example, erservicename=TAM 6.0Service.
v The o attribute of the organization to which the service belongs. For example,o=International Business Machines.
v The ou and dc attributes from the service distinguished name in IBM SecurityIdentity Manager. For example, ou=IBM,dc=com.
The pseudo-distinguished name that is formed from these example values is:erservicename=TAM 6.0 Service,o=International Business Machines,ou=IBM,dc=com.
Options
<service_pseudo_dn>Specifies the service pseudo–distinguished name for all authenticationmethods.
Usage
If the is_enabled configuration entry in the [itim] stanza is set to true, then youmust configure at least one of the following configuration entries:v service-source-dn
v service-password-dn
v service-token-card-dn
Default value
None.
118 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleservice-source-dn = erservicename=ISAM Employees Service,o=IBM,ou=IBM,dc=com;erservicename=TAM Customers Service,o=IBM,ou=IBM,dc=com
service-token-card-dn
Syntaxservice-token-card-dn = <service_pseudo_dn>
Description
Defines the pseudo–distinguished name of the service that issues the passwordsynchronization request.
The Password Synchronization Plug-in uses the service-token-card-dnpseudo-distinguished name for requests that use the token card authenticationmethod. If this configuration entry is specified, it overrides service-source-dnwhen using the token card authentication method.
Note: You can specify more than one pseudo-distinguished name. Separate thepseudo-distinguished names with a semicolon (;). The Password SynchronizationPlug-in iterates through the list of service names until it finds an account for oneof the services. If the Password Synchronization Plug-in cannot find an account forthe specified services, it returns an error message.
Each pseudo-distinguished name is a comma-separated list of the followingattributes:v The erservicename attribute of the Security Access Manager service name, as
defined in IBM Security Identity Manager. For example, erservicename=TAM 6.0Service.
v The o attribute of the organization to which the service belongs. For example,o=International Business Machines.
v The ou and dc attributes from the service distinguished name in IBM SecurityIdentity Manager. For example, ou=IBM,dc=com.
The pseudo-distinguished name that is formed from these example values is:erservicename=TAM 6.0 Service,o=International Business Machines,ou=IBM,dc=com.
Options
<service_pseudo_dn>Specifies the service pseudo–distinguished name for the token cardauthentication method.
Usage
If the is_enabled configuration entry in the [itim] stanza is set to true then youmust configure at least one of the following configuration entries:v service-source-dn
v service-password-dn
v service-token-card-dn
Stanza reference 119
Default value
None.
Exampleservice-token-card-dn = erservicename=ISAM Employees Service,o=IBM,ou=IBM,dc=com
servlet-port
Syntaxservlet-port = <port_number>
Description
Specifies the port number for communicating with the IBM Security IdentityManager server that is specified by the itim-server-name configuration entry.
The default HTTPS port is 9443 for a single server configuration and 443 for a IBMSecurity Identity Manager cluster with HTTP SSL configured.
Options
<port_number>Specifies the port number for communication with the IBM SecurityIdentity Manager server.
Usage
This stanza entry is required when the is_enabled configuration entry in the[itim] stanza is set to true.
Default value
9443
Exampleservlet-port = 9443
[jdb-cmd:replace] stanza
jct-id=search-attr-value|replace-attr-value
Syntaxjct-id=search-attr-value|replace-attr-value
Description
Defines the mapping rules for the jdb import command. These mapping rules areapplied to each attribute in the junction archive file before you import the newjunction database.
Options
jct-id Refers to the junction point for a standard junction which includes theleading ’/’ (slash) or the virtual host label for a virtual host junction.
120 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
search-attr-valueSpecifies the attribute value in the junction definition for which you wantto search and replace.
replace-attr-valueSpecifies the new attribute value in the junction definition for which youwant to search and replace.
Usage
This stanza entry is not required.
Default value
None.
Example/test-jct = webseal.au.ibm.com|webseal.gc.au.ibm.com
[junction] stanza
allow-backend-domain-cookies
Syntaxallow-backend-domain-cookies = {yes|no}
Description
Indicates whether WebSEAL is allowed to send domain cookies from a back-endserver to a client.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
yes Enable WebSEAL to send domain cookies from a back-end server to aclient.
no Disable WebSEAL to send domain cookies from a back-end server to aclient.
Usage
This stanza entry is required.
Default value
no
Exampleallow-backend-domain-cookies = no
Stanza reference 121
basicauth-dummy-passwd
Syntaxbasicauth-dummy-passwd = dummy_password
Description
Global password used when supplying basic authentication data over junctionsthat were created with the -b supply argument.
Options
dummy_passwordGlobal password used when supplying basic authentication data overjunctions that were created with the -b supply argument. Passwords mustconsist of ASCII characters.
Usage
This stanza entry is required.
Default value
dummy
Examplebasicauth-dummy-passwd = dummy
crl-ldap-server
Syntaxcrl-ldap-server = server_name
Description
Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL).
Options
server_nameThis parameter can be set to one of two types of values:1. The name of the LDAP server to be referenced as a source for
Certificate Revocation Lists (CRL) during authentication across SSLjunctions. If this is used, you may also need to set the followingparameters:v crl-ldap-server-portv crl-ldap-userv crl-ldap-user-password
2. The literal string “URI”. In the case where no direct LDAP Server isavailable, this allows GSKit to obtain revocation information fromLDAP or the HTTP Servers as specified by the CA in the CertificateDistribution Point (CDP) extension of the certificate.
Note: In addition to specifying the string "URI", it is also possible tospecify an HTTP server for crl-ldap-server. However, WebSEAL does not
122 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
currently support the ability to specify an HTTP proxy server, which canprovide performance improvements when HTTP servers are used.
Usage
This stanza entry is optional.
Default value
None.
Examplecrl-ldap-server = diamond.example.com
crl-ldap-server-port
Syntaxcrl-ldap-server-port = port_number
Description
Port number for communication with the LDAP server specified in crl-ldap-server.The LDAP server is referenced for Certificate Revocation List (CRL) checkingduring authentication across SSL junctions.
Options
port_numberPort number for communication with the LDAP server specified incrl-ldap-server.
Usage
This stanza entry is optional. When crl-ldap-server is specified, this stanza entry isrequired.
Default value
None.
Examplecrl-ldap-server-port = 389
crl-ldap-user
Syntaxcrl-ldap-user = user_DN
Description
Fully qualified distinguished name (DN) of an LDAP user who has permissions toretrieve the Certificate Revocation List.
Stanza reference 123
Options
user_DNFully qualified distinguished name (DN) of an LDAP user who haspermissions to retrieve the Certificate Revocation List. A null value forcrl-ldap-server indicates that the SSL authenticator should bind to theLDAP server anonymously.
Usage
This stanza entry is optional.
Default value
None.
Examplecrl-ldap-user = user_DN
crl-ldap-user-password
Syntaxcrl-ldap-user-password = password
Description
The password for the LDAP user specified in the crl-ldap-user stanza entry.
Options
passwordThe password for the LDAP user specified in the crl-ldap-user stanzaentry.
Usage
This stanza entry is optional. When crl-ldap-user is specified, this stanza entry isrequired.
Default value
None.
Examplecrl-ldap-user-password = mypassw0rd
disable-ssl-v2
Syntaxdisable-ssl-v2 = {yes|no}
Description
Disables support for SSL Version 2 for junction connections. Support for SSL v2 isdisabled by default.
124 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes The value yes means support is disabled.
no The value no means the support is enabled.
Usage
This stanza entry is optional. When not specified, the default is yes. The WebSEALconfiguration sets this value.
Default value
yes
Exampledisable-ssl-v2 = yes
disable-ssl-v3
Syntaxdisable-ssl-v3 = {yes|no}
Description
Disables support for SSL Version 3 for junction connections. Support for SSL V3 isenabled by default.
Options
yes The value yes means support is disabled.
no The value no means the support is enabled
Usage
This stanza entry is optional. When not specified, the default is no. The WebSEALconfiguration sets this value.
Default value
no
Exampledisable-ssl-v3 = no
disable-tls-v1
Syntaxdisable-tls-v1 = {yes|no}
Description
Disables support for TLS Version 1 for junction connections. Support for TLS V1 isenabled by default.
Stanza reference 125
Options
yes The value yes means support is disabled.
no The value no means the support is enabled.
Usage
This stanza entry is optional. When not specified, the default is no. The WebSEALconfiguration sets this value.
Default value
no
Exampledisable-tls-v1 = no
disable-tls-v11
Syntaxdisable-tls-v11 = {yes|no}
Description
Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1for junction connections. Support for TLS v1.1 is enabled by default.
Options
yes The value yes disables support for TLS version 1.1.
no The value no enables support for TLS version 1.1.
Usage
This stanza entry is optional. If this entry is not specified, the default is no.
Default value
no
Exampledisable-tls-v11 = no
disable-tls-v12
Syntaxdisable-tls-v12 = {yes|no}
Description
Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2for junction connections. Support for TLS v1.2 is enabled by default.
126 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes The value yes disables support for TLS version 1.2.
no The value no enables support for TLS version 1.2.
Usage
This stanza entry is optional. If this entry is not specified, the default is no.
Default value
no
Exampledisable-tls-v12 = no
dont-reprocess-jct-404s
Syntaxdont-reprocess-jct-404s = {yes|no}
Description
If a resource cannot be found on a back-end server, that server returns an HTTP404 error. The dont-reprocess-jct-404s stanza entry controls whether or notWebSEAL processes the request again by prepending the junction name to theURL.
You should never need to enable this stanza entry if you follow this best practicefor junctions: The junction name should not match any directory name used inthe Web space of the back-end server if HTML pages from that server containprograms (such as JavaScript or applets) with server-relative URLs to thatdirectory.
The following scenario can occur when one does not adhere to this best practicefor junctions:1. A resource is located in the following subdirectory (using the same name as the
junction) on the back-end server: /jct/page.html.2. A page received by the client from this back-end server contains the following
URL: /jct/page.html3. When the link is followed, WebSEAL can immediately process the request
because it recognizes what it thinks is the junction name in the URL. Noconfigured URL modification technique is required.
4. At the time the request is forwarded to the back-end server, the junction name(/jct) removed from the URL. The resource (/page.html) is not found at theroot of the back-end server file system. The server returns a 404 error.
5. If WebSEAL is configured for dont-reprocess-jct-404s=no, it reprocesses theURL and prepends the junction name to the original URL: /jct/jct/page.html
6. Now the resource is successfully located at /jct/page.html on the back-endserver.
NOTE:
Stanza reference 127
v The default behavior in WebSEAL is to reprocess a request URL after an HTTP404 error is returned from the back-end server. You can set the value ofdont-reprocess-jct-404s to yes to override this default behavior.
v If the reprocess-root-jct-404s entry (also in the [junction] stanza) has been set toyes then root junction resource requests that result in a HTTP 404 error will bereprocessed regardless of the setting of this dont-reprocess-jct-404s stanza entry.
Options
yes When the back-end server returns an HTTP 404 error, do not reprocess therequest URL.
no When the back-end server returns an HTTP 404 error, reprocess the requestURL by prepending the junction name to the existing URL.
Usage
This stanza entry is required.
Default value
The default value in the template configuration file is yes.
Exampledont-reprocess-jct-404s = yes
dynamic-addresses
Syntaxdynamic-addresses = {yes|no}
Description
Indicates when the junction server host name is resolved to its corresponding IPaddress and used in communication with the junction server.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
yes The junction server host name is resolved to its corresponding IP addressimmediately before any communication with the junction server.
no The junction server host name is resolved to its corresponding IP addressand this address is used for subsequent communication with the junctionserver.
Usage
This stanza entry is required.
128 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
no
Exampledynamic-addresses = no
http-timeout
Syntaxhttp-timeout = number_of_seconds
Description
Integer value indicating the timeout, in seconds, for sending to and reading from aTCP junction.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
number_of_secondsInteger value indicating the timeout, in seconds, for sending to andreading from a TCP junction. The minimum value is 0. When the value is0, there is no timeout. WebSEAL does not impose a maximum value.
Usage
This stanza entry is required.
Default value
120
http-timeout = 120
https-timeout
Syntaxhttps-timeout = number_of_seconds
Description
Integer value indicating the timeout, in seconds, for sending to and reading from aSecure Socket Layer (SSL) junction.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Stanza reference 129
Options
number_of_secondsInteger value indicating the timeout, in seconds, for sending to andreading from a Secure Socket Layer (SSL) junction. The minimum value is0. When the value is 0, there is no timeout. WebSEAL does not impose amaximum value.
Usage
This stanza entry is required.
Default value
120
https-timeout = 120
insert-client-real-ip-for-option-r
Syntaxinsert-client-real-ip-for-option-r = {yes|no}
Description
Determines whether to use the current IP address of the client or the one cached inthe credentials at authentication time for the value passed in a header to junctionscreated with the -r option.
Options
yes Use the current IP address of the client for the value passed in a header tojunctions created with the -r option.
no Use the client IP address cached in the credentials at authentication timefor the value passed in a header to junctions created with the -r option.
Usage
This stanza entry is required.
Default value
no
Exampleinsert-client-real-ip-for-option-r = no
io-buffer-size
Syntaxio-buffer-size = number_of_bytes
Description
Positive integer value indicating the buffer size, in bytes, for low-level reads fromand writes to a junction.
130 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
number_of_bytes
Positive integer value indicating the buffer size, in bytes, for low-levelreads from and writes to a junction.
The minimum value is 1. WebSEAL does not impose a maximum value.
A very small value (for instance, 10 bytes) can hurt performance bycausing very frequent calls to the low-level read/write APIs. Up to acertain point, larger values improve performance because theycorrespondingly reduce the calls to the low-level I/O functions.
However, the low-level I/O functions may have their own internal buffers,such as the TCP send and receive buffers. Once io-buffer-size exceeds thesize of those buffers (which are typically not large), there is no longer anyperformance improvement at all because those functions only read part ofthe buffer at the time.
Reasonable values for io-buffer-size range between 1 kB and 8 kB. Valuessmaller than this range causes calling the low-level I/O functions toofrequently. Values larger than this range wastes memory. A 2 MB I/Obuffer size uses 4 MB for each worker thread communicating with thejunctioned server, since there is both an input and output buffer.
Usage
This stanza entry is required.
Default value
4096
Exampleio-buffer-size = 4096
jct-cert-keyfile
Syntaxjct-cert-keyfile = file_name
Description
WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. The jct-cert-keyfile parameter specifies thejunction certificate keyfile. If this option is enabled, this is the keyfile used for CAand client certificates when negotiating SSL sessions with junctions.
Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the pdjct.kdb keyfile (and optional stash file) using iKeyman, anduncomment the options jct-cert-keyfile and either jct-cert-keyfile-stash orjct-cert-keyfile-pwd in the configuration file.
Stanza reference 131
Options
file_nameThe name of the optional, separate junction certificate keyfile.
Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd orjct-cert-keyfile-stash must also be defined.
Usage
This stanza entry is optional.
Default value
pdjct.kdb
Examplejct-cert-keyfile = pdjct.kdb
jct-cert-keyfile-stash
Syntaxjct-cert-keyfile-stash = file_name
Description
WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. The jct-cert-keyfile-stash parameter specifies thestash file for the optional, separate junction certificate database.
Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the pdjct.kdb keyfile (and optional stash file) using iKeyman, anduncomment the options jct-cert-keyfile and either jct-cert-keyfile-stash orjct-cert-keyfile-pwd in the configuration file.
Options
file_nameThe name of the stash file for the optional, separate junction certificatedatabase.
Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd orjct-cert-keyfile-stash must also be defined.
Usage
This stanza entry is optional.
Default value
pdjct.sth
Examplejct-cert-keyfile-stash = pdjct.sth
132 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
jct-cert-keyfile-pwd
Syntaxjct-cert-keyfile-pwd = password
Description
WebSEAL provides an option to configure a separate certificate key database forjunction SSL operations rather than sharing the one used for client certificatesspecified in the [ssl] stanza. When this stanza entry is assigned a value, that valueis used instead of any password that is contained in the stash file specified byjct-cert-keyfile-stash. This stanza entry stores the password in plain text. Use thestash file for optimum security.
Note: This stanza entry is commented out in the WebSEAL configuration file. Toenable the option of using a separate certificate key database for junctionedservers, create the /var/pdweb/www-default/certs/pdjct.kdb keyfile (and optionalstash file) using iKeyman, and uncomment the options jct-cert-keyfile and eitherjct-cert-keyfile-stash or jct-cert-keyfile-pwd in the configuration file.
Options
passwordPassword used to protect private keys in the optional, separate junctionkey certificate database.
Note: If jct-cert-keyfile is defined, then either jct-cert-keyfile-pwd orjct-cert-keyfile-stash must also be defined.
Usage
This stanza entry is optional.
Default value
none
Examplejct-cert-keyfile-pwd = J73R45huu
jct-ocsp-enable
Syntaxjct-ocsp-enable = {yes|no}
Description
Enable Online Certificate Status Protocol (OCSP) for checking the revocation statusof certificates supplied by a junction server using the OCSP URL embedded in thecertificate using an Authority Info Access (AIA) extension.
Options
yes Enable OCSP to check the revocation status of junction server suppliedcertificates.
Stanza reference 133
no Disable OCSP checking of junction server supplied certificates.
Usage
This stanza entry is optional.
Note: This option can be used as an alternative to, or in conjunction with, thejct-ocsp-url option.
Default value
no
Examplejct-ocsp-enable = no
jct-ocsp-max-response-size
Syntaxjct-ocsp-max-response-size = number of bytes
Description
Sets the maximum response size (in bytes) that will be accepted as a response froman OCSP responder. This limit helps protect against a denial of service attack.
Options
Maximum response size, in bytes.
Usage
This stanza entry is optional.
Default value
204080
Examplejct-ocsp-max-response-size = 20480
jct-ocsp-nonce-check-enable
Syntaxjct-ocsp-nonce-check-enable = {yes|no}
Description
Determines whether WebSEAL checks the nonce in the OCSP response. Enablingthis option improves security but can cause OCSP Response validation to fail ifthere is a caching proxy between WebSEAL and the OCSP Responder. Note thatenabling this option automatically enables the jct-ocsp-nonce-generation-enableoption.
134 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes WebSEAL checks the nonce in the OCSP response to verify that it matchesthe nonce from the request.
no WebSEAL does not check the nonce in the OCSP response.
Usage
This stanza entry is optional.
Default value
no
Examplejct-ocsp-nonce-check-enable = no
jct-ocsp-nonce-generation-enable
Syntaxjct-ocsp-nonce-generation-enable = {yes|no}
Description
Determines whether WebSEAL generates a nonce as part of the OCSP request.Enabling this option can improve security by preventing replay attacks onWebSEAL but may cause an excessive load on an OCSP Responder appliance asthe responder cannot use cached responses and must sign each response.
Options
yes WebSEAL generates a nonce as part of the OCSP request.
no WebSEAL does not generate a nonce as part of the OCSP request.
Usage
This stanza entry is optional.
Default value
no
Examplejct-ocsp-nonce-generation-enable = no
jct-ocsp-proxy-server-name
Syntaxjct-ocsp-proxy-server-name = <proxy host name>
Description
Specifies the name of the proxy server that provides access to the OCSP responder.
Stanza reference 135
Options
proxy host nameFully qualified name of the proxy server.
Usage
This stanza entry is optional.
Default value
None
Examplejct-ocsp-proxy-server-name = proxy.ibm.com
jct-ocsp-proxy-server-port
Syntaxjct-ocsp-proxy-server-port = <proxy host port number>
Description
Specifies the port number of the proxy server that provides access to the OCSPResponder.
Options
proxy host port numberPort number used by the proxy server to route OCSP requests andresponses.
Usage
This stanza entry is optional.
Default value
None
Examplejct-ocsp-proxy-server-port = 8888
jct-ocsp-url
Syntaxjct-ocsp-url = <OCSP Responder URL>
Description
Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL willuse OCSP for all revocation status checking regardless of whether the certificatehas an Authority Info Access (AIA) extension, which means that OCSP will workwith existing certificates. WebSEAL will first try the OCSP Responder that isconfigured by this method rather than using a location specified by AIAextension.If revocation status is undetermined, and if jct-ocsp-enable is set to yes,
136 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
then WebSEAL will try to obtain revocation status using the access method in theAIA extension.
Options
OCSP Responder URLURL of the OCSP Responder.
Usage
This stanza entry is optional.
Default value
None
Examplejct-ocsp-url = http://responder.ibm.com/
jct-ssl-reneg-warning-rate
Syntaxjct-ssl-reneg-warning-rate = number_renegotiations/minute
Description
When this option is set to a value greater than zero (0), WebSEAL produces awarning message if the SSL session renegotiation rate between junction servers andWebSEAL reaches this level or greater. The value is specified as the number ofrenegotiations per minute.
Options
number_renegotiations/minuteRate of session renegotiations between junction servers and WebSEAL.
Usage
This stanza entry is required.
Default value
0
Examplejct-ssl-reneg-warning-rate = 0
jct-undetermined-revocation-cert-action
Syntaxjct-undetermined-revocation-cert-action = {ignore | log | reject}
Description
Controls the action that WebSEAL takes if OCSP or CRL is enabled but theresponder cannot determine the revocation status of a certificate (that is, the
Stanza reference 137
revocation status is unknown). The appropriate values for this entry should beprovided by the OCSP or CRL Responder owner.
Options
ignore WebSEAL ignores the undetermined revocation status and permits use ofthe certificate.
log WebSEAL logs the fact that the certificate status is undetermined andpermits use of the certificate.
reject WebSEAL logs the fact that the certificate status is undetermined andrejects the certificate.
Usage
This stanza entry is optional.
Default value
log
Examplejct-undetermined-revocation-cert-action = log
jmt-map
Syntaxjmt-map = file_name
Description
The name of the file that contains the location of the Junction-to- Request MappingTable (JMT).
The administrator can rename this file if necessary. The file name can be any filename valid for the operating system file system.
Options
file_nameName of the file that contains the location of the Junction-to- RequestMapping Table (JMT).
Usage
This stanza entry is required.
Default value
jmt.conf
Examplejmt-map = jmt.conf
138 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
managed-cookies-list
Syntaxmanaged-cookies-list = list
Description
The managed-cookies-list contains a comma-separated list of patterns that will bematched against the names of cookies returned by junctioned servers. Cookies withnames that match the patterns in this list are stored in the WebSEAL cookie jar andnot returned to the client. Cookies that do not match these patterns are returned tothe client browser.
The WebSEAL cookie jar is turned off by not specifying any cookies in themanaged-cookies-list.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
list A comma-separated list of pattern-matched cookie names.
Usage
This stanza entry is optional.
Default value
This option is empty by default.managed-cookies-list = JSESS*,Ltpa*
mangle-domain-cookies
Syntaxmangle-domain-cookies = {yes | no}
Description
Enables or disables WebSEAL domain cookie name mangling behavior.
Note:
1. This option enables domain cookie mangling on a server-wide basis. The optioncannot be configured on a per-junction basis.
2. This option is relevant only for junctions that use a reprocessing solution suchas -j or JMT.
3. This option does not affect cookies listed in preserve-cookie-names.
Options
yes Enables WebSEAL to mangle the names of domain cookies. Informationidentifying the junction is added to the cookie name, and the cookie is only
Stanza reference 139
associated with that junction. If mangle-path-into-cookie-name is set toyes, then the backend path attribute information is also mangled into thecookie name.
no WebSEAL will not mangle the names of domain cookies.
Usage
This stanza entry is optional.
Default value
This option is disabled by default.
Examplemangle-domain-cookies = yes
match-vhj-firstHelps determine the order in which WebSEAL searches for a request in a standardor a virtual host junction table.
Syntaxmatch-vhj-first = {yes|no}
Description
WebSEAL manages separate junction tables for standard and virtual host junctions.When a request comes in, WebSEAL searches the virtual host junction table first. IfWebSEAL does not find a match, it searches the table that manages standardjunctions. The match-vhj-first configuration can reverse the search order so thatWebSEAL searches the standard junction table before searching the virtual hostjunction table.
Options
yes WebSEAL searches the virtual host junction table first.
no WebSEAL searches the standard junction table first.
Usage
This stanza entry is not optional.
Default value
yes
Example
The following example tells WebSEAL to search the standard junction table first:match-vhj-first = no
max-cached-persistent-connections
Syntaxmax-cached-persistent-connections = number_of_connections
140 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
The maximum number of persistent connections that will be stored in the cache forfuture use. Connections with junctioned Web servers will be cached for future useunless the configured limit (as defined by this configuration entry) is reached, orunless the connection:close header is received in the HTTP response.
Note: If this setting is enabled, there is the potential for different user sessions touse the same connection when processing junction requests. To disable thepersistent connection functionality, specify a max-cached-persistent-connectionsvalue of zero (0).
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
number_of_connectionsInteger value indicating the maximum number of persistent connectionsthat will be stored in the cache for future use. A value of zero (0) disablesthis support. WebSEAL imposes no maximum on this value.
Usage
This stanza entry is required.
Default value
0
max-cached-persistent-connections = 0
max-webseal-header-size
Syntaxmax-webseal-header-size = number_of_bytes
Description
Integer value indicating the maximum size, in bytes, of HTTP headers generatedby the WebSEAL server. Headers greater in size that this value are split acrossmultiple HTTP Headers.
Note: The max-webseal-header-size entry does not limit the maximum size ofHTTP-Tag-Value headers.
Options
number_of_bytesInteger value indicating the maximum size, in bytes, of HTTP headersgenerated by the WebSEAL server. A value of zero (0) disables thissupport. WebSEAL imposes no maximum on this value.
Stanza reference 141
Usage
This stanza entry is required.
Default value
0
Examplemax-webseal-header-size = 0
pass-http-only-cookie-atr
Syntaxpass-http-only-cookie-atr = {yes|no}
Description
Indicates whether WebSEAL will pass or remove the HTTPOnly attribute from theSet-Cookie headers sent by junctioned servers.
Options
yes Enables WebSEAL to pass the HTTPOnly attribute from Set-Cookie headerssent by junctioned servers.
no Enables WebSEAL to remove the HTTPOnly attribute from Set-Cookieheaders sent by junctioned servers.
Usage
This stanza entry is required.
Default value
no
Examplepass-http-only-cookie-atr = no
persistent-con-timeout
Syntaxpersistent-con-timeout = number_of_seconds
Description
Indicates the maximum number of seconds a persistent connection can remain idlein a cache before the connection is cleaned up and closed by WebSEAL.
Use an integer value lower than the configured maximum connection lifetime forthe junctioned web server. For example, the connection lifetime for a junctionedApache web server is controlled by the KeepAliveTimeout configuration entry.
142 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
You can customize the persistent-con-timeout configuration item for a particularjunction by adding the adjusted configuration item to a [junction:{junction_id}]stanza.
where {junction_id} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Note: If you do not use an integer value lower than the connection lifetime on thejunctioned web server, you might encounter the following problem.
If the [junction] max-cached-persistent-connections configuration entry is set toa value greater than zero, WebSEAL reuses its TCP/IP session with the junctionedback-end server. If the junctioned back-end server closes the socket at the sametime that WebSEAL starts to use this session to send a request, the request fails.
To send the request again, WebSEAL opens a new TCP/IP session. If the requestbody is larger than the size that WebSEAL can cache, WebSEAL fails to resend therequest and generates a 500 error.
Options
number_of_secondsInteger value that indicates the maximum number of seconds a persistentconnection can remain idle in a cache before the connection is closed byWebSEAL. The minimum value is 1. WebSEAL does not impose amaximum value.
Usage
This stanza entry is required.
Default value
5
Examplepersistent-con-timeout = 5
ping-method
Syntaxping-method = method
Description
The WebSEAL server performs a periodic background ping of each junctioned Webserver, to determine whether it is running. The optional ping-method entry setsthe HTTP request type used in these pings. The valid options include any validHTTP request method (for example, HEAD or GET, for HTTP HEAD and HTTPGET requests respectively).
This configuration item may be customized for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Stanza reference 143
Options
method Perform a HTTP request using the specified method to determine the stateof the junctioned server.
Usage
None.
Default value
HEAD
ping-method = GET
ping-time
Syntaxping-time = number_of_seconds
Description
Integer value indicating the number of seconds between pings issued by theWebSEAL server. The pings are issued periodically in the background to verify thatjunctioned WebSEAL servers are running.
If the server is deemed not running, the recovery-ping-time value determines theinterval at which pings are sent until the server is running. The type of ping usedis determined by the ping-method value. HTTP response code rules can be definedusing the response-code-rules configuration entry.
Options
number_of_secondsInteger value indicating the number of seconds between pings issued bythe WebSEAL server. The minimum value is 1. WebSEAL does not imposea maximum value.
Usage
To turn this ping off, set this entry to zero. If this entry is set to zero, therecovery-ping-time must be set.
Default value
300
Exampleping-time = 300
ping-uri
Syntaxping-uri = uri
144 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
The WebSEAL server performs a periodic background ping of each junctioned Webserver to determine whether it is running. The optional ping-uri configurationentry defines the URI that is accessed by the ping request. The defined URI isrelative to the root Web space of the junctioned Web server. If the URI is missing,this value defaults to a /.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
uri The URI that is accessed by the ping request.
Usage
This stanza entry is optional.
Default value
/
ping-uri = /apps/status
recovery-ping-time
Syntaxrecovery-ping-time = 300
Description
The WebSEAL server performs a periodic background ping of each junctioned Webserver, to determine whether it is running. This entry sets the interval, in seconds,between pings when the server is determined to be not running.
Options
number_of_secondsInteger value indicating the number of seconds between pings issued bythe WebSEAL server to a junctioned server that is determined to be notrunning. The minimum value is 1. WebSEAL does not impose a maximumvalue.
Usage
If this entry is not set, the recovery-ping-time defaults to the ping-time value.
Default value
300
Examplerecovery-ping-time = 300
Stanza reference 145
reprocess-root-jct-404s
Syntaxreprocess-root-jct-404s = {yes|no}
Description
Used to reprocess requests for root junction resources that result in an HTTP 404error.
The dont-reprocess-jct-404s entry (also in the [junction] stanza) can be set to yesto avoid multiple attempts to prepend a junction point to the beginning of the URLstring when reprocessing requests that have resulted in an HTTP 404 status code.
WebSEAL determines whether the request is already known to be for a non-localjunction.However, WebSEAL fails to add a junction point when requests have beenmade for a root junction created at "/". To modify this behavior and cause requestsfor root junction resources that result in an HTTP 404 error to be reprocessed, youcan use this reprocess-root-jct-404s stanza entry.
Options
yes Cause requests for root junction resources that result in an HTTP 404 errorto be reprocessed regardless of the setting of the dont-reprocess-jct-404sentry (also in the [junction] stanza).
no The value for the dont-reprocess-jct-404s entry (also in the [junction]stanza) will determine whether root junction requests that result in anHTTP 404 error are reprocessed. That is, if the value fordont-reprocess-jct-404s is no then the HTTP 404 errors will still bereprocessed.
Usage
This stanza entry is optional.
Default value
no
Examplereprocess-root-jct-404s = yes
reset-cookies-list
Syntaxreset-cookies-list = list
Description
Determines which cookies are reset when the user session is logged out. Therequest received from the client and the response sent back to the client are bothexamined for matching cookies.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
146 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
list A comma-separated list of patterns. WebSEAL will reset any cookies withnames that match the patterns in this list.
Usage
This stanza entry is required.
Default value
nil
reset-cookies-list = JSESS*,Ltpa*
response-code-rules
Syntaxresponse-code-rules = list
Description
The WebSEAL server performs a periodic background ping of each junctioned Webserver to determine whether it is running. The optional response-code-rulesconfiguration entry defines the rules that are used to determine whether HTTPresponses indicate a healthy or an unhealthy junctioned Web server.
The configuration entry contains a space separated list of rules. Each rule has theformat: [+|-]<code> (e.g. -50?)
where:
+ Indicates that this is a healthy response code.
- Indicates that this is an unhealthy response code.
<code>The corresponding response code, which can also contain pattern matchingcharacters such as * and ?
The HTTP response codes are evaluated against each rule in sequence until amatch is found. The corresponding code (+|-) determines whether the junctionedWeb server is healthy or not.If the response code matches no configured rules, thejunctioned Web server is considered healthy.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
list A space separated list of response code rules. These rules determinewhether the response from a junctioned Web server indicates a healthy oran unhealthy server.
Stanza reference 147
Usage
This stanza entry is optional.
Default value
nil
response-code-rules = +2?? -*
share-cookies
Syntaxshare-cookies = {yes|no}
Description
The share-cookies item is used to control whether the cookie jar will be sharedacross different junctions or whether each junction will have a dedicated cookie jar.
Options
yes If this entry is set to yes, cookies will be sent over all junctions, regardlessof the junction from which the cookie originated.
no If this entry is set to no, only cookies received from the junction will besent in requests to that junction.
Usage
This stanza entry is required.
Default value
no
Exampleshare-cookies = yes
support-virtual-host-domain-cookies
Syntaxsupport-virtual-host-domain-cookies = {yes|no}
Description
If allow-backend-domain-cookies is set to yes, then this option modifies howWebSEAL validates the domain. This option has no effect if validate-backend-domain-cookies = no.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
148 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes If set to "yes" then the domain cookie is validated by comparing it with thevirtual host specified for a backend server with the -v junction option.
no If set to "no", or if no virtual host was specified for a junction, then thefully qualified host name is compared with the domain value of a backendcookie for validation.
Usage
This stanza entry is required.
Default value
yes
support-virtual-host-domain-cookies = yes
use-new-stateful-on-error
Syntaxuse-new-stateful-on-error = {yes|no}
Description
Control how WebSEAL responds to a stateful server that becomes unavailable.
This configuration item may be customized for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction. Forexample:[junction:/WebApp]
Options
yes When set to "yes" and the original server becomes unavailable during asession, WebSEAL directs the user's next request (containing the originalstateful cookie) to a new replica server on the same stateful junction. If anew replica server is found on that stateful junction, and is responsive tothe request, WebSEAL sets a new stateful cookie on the user's browser.Subsequent requests during this same session (and containing the newstateful cookie) are directed to this same new server.
no When set to "no" and the original server becomes unavailable during asession, WebSEAL does not direct the user's subsequent requests to a newreplica server on the same stateful junction. Instead, WebSEAL returns anerror and attempts to access the same server for subsequent requests bythe user during this session.
Usage
This stanza entry is required.
Stanza reference 149
Default value
no
Exampleuse-new-stateful-on-error = yes
validate-backend-domain-cookies
Syntaxvalidate-backend-domain-cookies = {yes|no}
Description
Specifies how WebSEAL validates the domain.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [junction:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
yes If set to "yes" then domain cookies that adhere to the cookie specificationare forwarded to the user. If the fully qualified host name of theoriginating back-end machine is the domain, then the cookie is forwardedto the user with no domain specified.
no If set to "no", then all domain cookies are forwarded to the user, regardlessof their content.
Usage
This stanza entry is required.
Default value
yes
validate-backend-domain-cookies = yes
worker-thread-hard-limit
Syntaxworker-thread-hard-limit = number_of_threads
Description
Integer value indicating the limit, expressed as a percentage, of the total workerthreads that are to be used for processing requests for junctions.
Options
number_of_threads
150 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Integer value indicating the limit, expressed as a percentage, of the totalworker threads that are to be used for processing requests for junctions.The default value of 100 means that there is no limit.
When the value of worker-thread-hard-limit is less than 100, and the limitis exceeded, WebSEAL generates an error message.
Usage
This stanza entry is required.
Default value
100
Exampleworker-thread-hard-limit = 100
worker-thread-soft-limit
Syntaxworker-thread-soft-limit = number_of_threads
Description
Integer value indicating the limit, expressed as a percentage, of the total workerthreads that are to be used for processing requests for junctions.
Options
number_of_threads
Integer value indicating the limit, expressed as a percentage, of the totalworker threads that are to be used for processing requests for junctions.
When the value of worker-thread-soft-limit is less than 100, and the limitis exceeded, WebSEAL generates a warning message.
Usage
This stanza entry is required.
Default value
90
Exampleworker-thread-soft-limit = 90
disable-local-junctionsWebSEAL can serve pages from a local web server through local junctions.
Syntax
disable-local-junctions = {yes|no}
Stanza reference 151
Description
If local junctions are not used, you can disable the functionality with thedisable-local-junctions configuration item.
Options
yes Disables local junction functionality.
no Enables local junction functionality.
Usage
Optional.
The following example enables local junction functionality:disable-local-junctions=no
[junction:junction_name] stanza
Note: This stanza is optional and must be manually inserted into the WebSEALconfiguration file. The junction_name in the stanza name is the junction point for astandard junction (including the leading / character) or the virtual host label for avirtual host junction. For details about the configuration entries supported in thisjunction specific stanza, see the description of the corresponding configurationentry in the [junction] stanza.
[ldap] stanza
auth-timeout
Syntaxauth-timeout = value{0|number_seconds}
Description
Amount of time (in seconds) that will be allowed for authentication operationsbefore the LDAP server is considered to be down. If specified, this value overridesany value of timeout for authentication operations.
Note: Do not specify this parameter in the ldap.conf server configuration file.
Options
0 No timeout is allowed.
number_secondsThe specified number of seconds allowed for authentication operations,specified as an integer positive whole number. There is no range limitationfor timeout values.
Usage
This stanza entry is optional.
152 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
0
Exampleauth-timeout = 0
auth-using-compare
Syntaxauth-using-compare = {yes|true|no|false}
Description
Enables or disables authentication using password comparison. When disabled,authentication using LDAP bind is performed.
For those LDAP servers that allow it, a compare operation might perform fasterthan a bind operation.
Options
yes|trueA password compare operation is used to authenticate LDAP users.
no|falseA bind operation is used to authenticate LDAP users.
Usage
This stanza entry is optional.
Default value
The default value, when LDAP is enabled, is yes.
Exampleauth-using-compare = yes
bind-dn
Syntaxbind-dn = LDAP_DN
Description
LDAP user distinguished name (DN) that is used when binding (or signing on) tothe LDAP server. This is the name that represents the WebSEAL server daemon.
Options
LDAP_DNLDAP user distinguished name (DN) that is used when binding (or signingon) to the LDAP server.
Stanza reference 153
Usage
This stanza entry is required when LDAP is enabled.
Default value
The default value is built by combining the daemon name webseald with thehost_name that was specified by the administrator during the configuration of theSecurity Access Manager runtime component.
Examplebind-dn = cn=webseald/surf,cn=SecurityDaemons,secAuthority=Default
bind-pwd
Syntaxbind-pwd = LDAP_password
Description
Password for the LDAP user distinguished name declared in the bind-dn stanzaentry.
Options
LDAP_passwordPassword for the LDAP user distinguished name declared in the bind-dnstanza entry.
Usage
This stanza entry is required when LDAP is enabled.
Default value
The default value of this stanza entry is set during WebSEAL configuration. TheWebSEAL configuration reads the LDAP_password that was specified by theadministrator during the configuration of the Security Access Manager runtimecomponent. This value is read from the Security Access Manager configuration file,pd.conf.
Examplebind-pwd = zs77WVoLSZn1rKrL
cache-enabled
Syntaxcache-enabled = {yes|true|no|false}
Description
Enable and disable LDAP client-side caching.
154 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes|trueEnable LDAP client-side caching.
no|falseDisable LDAP client-side caching. Anything other than yes|true, includinga blank value, is interpreted as no|false.
Usage
This stanza entry is required.
Default value
yes
Examplecache-enabled = yes
cache-group-expire-time
Syntaxcache-group-expire-time = number_of_seconds
Description
Specifies the amount of time to elapse before a group entry in the cache isdiscarded.
This entry is used only when cache-enabled = {yes|true}.
Options
number_of_secondsSpecifies the amount of time to elapse before a group entry in the cache isdiscarded.
Usage
This stanza entry is optional.
Default value
There is no default value, but when not set the default value used is 300 seconds.
Examplecache-group-expire-time = 300
cache-group-membership
Syntaxcache-group-membership = {yes|no}
Stanza reference 155
Description
Indicates whether group membership information should be cached.
This entry is used only when cache-enabled = {yes|true}
Options
yes Cache group membership information.
no Do not cache group membership information.
Usage
This stanza entry is optional.
Default value
There is no default value, but when not set the group information is cached.
Examplecache-group-membership = yes
cache-group-size
Syntaxcache-group-size = number
Description
Specifies the number of entries in the LDAP group cache.
This entry is used only when cache-enabled = {yes|true}.
Options
numberSpecifies the number of entries in the LDAP group cache.
Usage
This stanza entry is optional.
Default value
There is no default value, but when not set the default value used is 64.
Examplecache-group-size = 64
cache-policy-expire-time
Syntaxcache-policy-expire-time = number_of_seconds
156 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Specifies the amount of time to elapse before a policy entry in the cache isdiscarded.
This entry is used only when cache-enabled = {yes|true}.
Options
number_of_secondsSpecifies the amount of time to elapse before a policy entry in the cache isdiscarded.
Usage
This stanza entry is optional.
Default value
There is no default value, but when not set the default value used is 30 seconds.
Examplecache-policy-expire-time = 30
cache-policy-size
Syntaxcache-policy-size = number
Description
Specifies the number of entries in the LDAP policy cache.
This entry is used only when cache-enabled = {yes|true}.
Options
numberSpecifies the number of entries in the LDAP policy cache.
Usage
This stanza entry is optional
Default value
There is no default value, but when not set the default value used is 20.
Examplecache-policy-size = 20
cache-return-registry-id
Syntaxcache-return-registry-id = no
Stanza reference 157
Description
Indicates whether to cache the user identity as it is stored in the registry or cachethe value as entered during authentication. Ignored if the cache is not enabled. Ifnot set, the default is no.
Options
yes Cache the user identity as it is stored in the registry.
no cache the user identity as it was entered during authentication.
Usage
This stanza entry is optional
Default value
no
Examplecache-return-registry-id = no
cache-user-expire-time
Syntaxcache-user-expire-time = number_of_seconds
Description
Specifies the amount of time to elapse before a user entry in the cache is discarded.
This entry is used only when cache-enabled = {yes|true}.
Options
number_of_secondsSpecifies the amount of time to elapse before a user entry in the cache isdiscarded.
Usage
This stanza entry is optional.
Default value
There is no default value, but when not set the default value used is 30 seconds.
Examplecache-user-expire-time = 30
cache-user-size
Syntaxcache-user-size = number
158 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Specifies the number of entries in the LDAP user cache.
This entry is used only when cache-enabled = {yes|true}.
Options
number
Specifies the number of entries in the LDAP user cache.
Usage
This stanza entry is optional.
Default value
There is no default value, but when not set the default value used is 256.
Examplecache-user-size = 256
cache-use-user-cache
Syntaxcache-use-user-cache = {yes|no}
Description
Indicates whether to use the user cache information or not.
This entry is used only when cache-enabled = {yes|true}
Options
yes Use the user cache information.
no Do not use the user cache information.
Usage
This stanza entry is optional.
Default value
There is no default value, but when not set the user cache information is used.
Examplecache-use-user-cache = yes
default-policy-override-support
Syntaxdefault-policy-override-support = {yes|true|no|false}
Stanza reference 159
Description
Indicates whether default policy overrides user level policy during LDAP searches.When this stanza entry is set to yes, only the default policy is checked.
Options
yes|trueUser policy support is disabled and only the global (default) policy ischecked. This option allows the user policy to be ignored, even when it isspecified.
no|falseUser policy support is enabled. When a user policy is specified by theadministrator, it overrides the global policy.
Usage
This stanza entry is optional.
Default value
By default, the value is not specified during WebSEAL configuration. When thevalue is not specified, the default behavior is enable user policy support. This isequivalent to setting this stanza entry to no.
Exampledefault-policy-override-support = yes
enabled
Syntaxenabled = {yes|true|no|false}
Description
Indicates whether or not LDAP is being used as the user registry.
Options
yes|trueEnable LDAP user registry support.
no|falseDisables LDAP user registry support and indicates that LDAP is not theuser registry being used. Anything other than yes|true, including a blankvalue, is interpreted as no|false,
Usage
This stanza entry is required when LDAP is the user registry.
Default value
The default value is always taken (during WebSEAL initialization) from thecorresponding parameter in the [ldap] stanza of the ldap.conf configuration filefor the LDAP server.
160 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleenabled = yes
host
Syntaxhost = host_name
Description
Host name of the LDAP server.
Options
host_nameValid values for host_name include any valid IP host name. The host_namedoes not have to be a fully qualified domain name.
Usage
This stanza entry is required.
Default value
The default value is always taken (during WebSEAL initialization) from thecorresponding parameter in the [ldap] stanza of the ldap.conf configuration filefor the LDAP server.
Examplehost = diamondhost = diamond.example.com
login-failures-persistent
Syntaxlogin-failures-persistent = {yes|true|no|false}
Description
When set to "yes", login hits are tracked in the registry instead of only in the localprocess cache.
Persistent login hit recording impacts performance but allows consistent login hitcounting across multiple servers.
Options
yes|trueWhen set to "yes", login hits are tracked in the registry instead of only inthe local process cache.
no|falseWhen set to "no", login hits are not tracked in the registry instead of onlyin the local process cache.
Stanza reference 161
Usage
This stanza entry is optional.
Default value
The value is not specified by default during WebSEAL configuration. When thevalue is not specified, the default value is no.
Examplelogin-failures-persistent = yes
max-search-size
Syntaxmax-search-size = {0|number_entries}
Description
Limit for the maximum search size, specified as the number of entries, that can bereturned from the LDAP server. The value for each server can be different,depending on how the server was configured.
Options
0 The number is unlimited; there is no limit to the maximum search size.
number_entriesThe maximum number of entries for search, specified as an integer wholenumber. This value can be limited by the LDAP server itself.
Usage
This stanza entry is optional.
Default value
The default value is always taken (during WebSEAL initialization) from thecorresponding parameter in the [ldap] stanza of the ldap.conf configuration filefor the LDAP server.
Examplemax-search-size = 2048
prefer-readwrite-server
Syntaxprefer-readwrite-server = {yes|true|no|false}
Description
Allows or disallows the client to question the Read/Write LDAP server beforequerying any replica Read-only servers configured in the domain.
162 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes|trueEnable the choice.
no|falseDisable the choice. Anything other than yes|true, including a blank value,is interpreted as no|false.
Usage
This stanza entry is optional.
Default value
no
Exampleprefer-readwrite-server = no
port
Syntaxport = port_number
Description
Number of the TCP/IP port used for communicating with the LDAP server. Notethat this is not for SSL communication.
Options
port_numberA valid port number is any positive integer that is allowed by TCP/IP andthat is not currently being used by another application.
Usage
This stanza entry is required when LDAP is enabled.
Default value
The default value is always taken (during WebSEAL initialization) from thecorresponding parameter in the [ldap] stanza of the ldap.conf configuration filefor the LDAP server.
Exampleport = 389
replica
Syntaxreplica = ldap-server, port, type, pref
Stanza reference 163
Description
Definition of the LDAP user registry replicas in the domain.
Security Access Manager supports a maximum of one host and nine LDAP replicaservers, which are listed in the ldap.conf file. If more than nine LDAP replicaentries are listed, the Security Access Manager servers cannot start.
Options
ldap-serverThe network name of the server.
port The port number for the LDAP server. A valid port number is any positivenumber that is allowed by TCP/IP and that is not currently being used byanother application.
type One of read-only or read/write.
pref A number from 1 to 10 (10 is the highest preference).
Usage
This stanza entry is optional.
Default value
Default value is that no replicas are specified.
Any value is always taken during WebSEAL initialization from the correspondingparameter in the [ldap] stanza of the ldap.conf configuration file for the LDAPserver.
Example
Example of one replica specified and two replicas commented out:replica = rep1,390,readonly,1#replica = rep2,391,readwrite,2#replica = rep3,392,readwrite,3
search-timeout
Syntaxsearch-timeout = {0|number_seconds}
Description
Amount of time (in seconds) that will be allowed for search operations before theLDAP server is considered to be down. If specified, this value overrides any valueof timeout for search operations.
Note: Do not specify this parameter in the ldap.conf server configuration file.
Options
0 No timeout is allowed.
164 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
number_secondsThe specified number of seconds allowed for search operations, specifiedas an integer positive whole number. There is no range limitation fortimeout values.
Usage
This stanza entry is optional.
Default value
0
Examplesearch-timeout = 0
ssl-enabled
Syntaxssl-enabled = {yes|true|no|false}
Description
Enables or disables SSL communication between WebSEAL and the LDAP server.
Options
yes|trueEnable SSL communication.
no|falseDisable SSL communication.
Usage
This stanza entry is optional.
Default value
SSL communication is disabled by default. During WebSEAL server configuration,the WebSEAL administrator can choose to enable it.
Examplessl-enabled = yes
ssl-keyfile
Syntaxssl-keyfile = file_name
Description
SSL key file name. The SSL key file handles certificates that are used in LDAPcommunication.
Stanza reference 165
Options
file_nameThe WebSEAL administrator specifies this file name during WebSEALconfiguration. The file name can be any arbitrary choice, but the extensionis usually .kdb.
Usage
This stanza entry is required when SSL communication is enabled, as specified inthe ssl-enabled stanza entry.
Default value
None.
Example
Example:ssl-keyfile = webseald.kdb
ssl-keyfile-dn
Syntaxssl-keyfile-dn = key_label
Description
String that specifies the key label of the client personal certificate within the SSLkey file. This key label is used to identify the client certificate that is presented tothe LDAP server.
Options
key_labelString that specifies the key label of the client personal certificate withinthe SSL key file.
Usage
This stanza entry is optional. A label is not required when one of the certificates inthe keyfile has been identified as the default certificate. The decision whether toidentify a certificate as the default was made previously by the LDAPadministrator when configuring the LDAP server. The WebSEAL configurationutility prompts the WebSEAL administrator to supply a label. When theadministrator knows that the certificate contained in the keyfile is the defaultcertificate, the administrator does not have to specify a label.
Default value
None.
Examplessl-keyfile-dn = "PD_LDAP"
166 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ssl-keyfile-pwd
Syntaxssl-keyfile-pwd = password
Description
Password to access the SSL key file.
Options
passwordPassword to access the SSL key file. The WebSEAL administrator specifiesthis password during WebSEAL configuration. The password associatedwith the default SSL keyfile is gsk4ikm
Usage
Deprecated: The ssl-keyfile-pwd entry is deprecated in the [ldap] stanza. Althoughthis entry might exist in a configuration file, it will be ignored.
Default value
None.
Examplessl-keyfile-pwd = gsk4ikm
ssl-port
Syntaxssl-port = port_number
Description
SSL IP port that is used to connect to the LDAP server. Note that this is for SSLcommunication.
Options
port_numberA valid port number is any positive number that is allowed by TCP/IPand that is not currently being used by another application.
Usage
This stanza entry is required only when LDAP is enabled and the LDAP server isconfigured to perform client authentication (ssl-enabled = yes).
Default value
The default value is always taken (during WebSEAL initialization) from thecorresponding parameter in the [ldap] stanza of the ldap.conf configuration filefor the LDAP server.
Stanza reference 167
Examplessl-port = 636
timeout
Syntaxtimeout = {0|number_seconds}
Description
Amount of time (in seconds) that is allowed for authentication or search operationsbefore the LDAP server is considered to not available. If specified, a value for thestanza entries authn-timeout or search-timeout overrides the value of this stanzaentry.
Note: Do not specify this parameter in the ldap.conf server configuration file.
Options
0 No timeout is allowed.
number_secondsThe number of seconds allowed for authentication or search, specified as apositive integer whole number. There is no range limitation for timeoutvalues.
Usage
This stanza entry is optional.
Default value
0
Exampletimeout = 0
user-and-group-in-same-suffix
Syntaxuser-and-group-in-same-suffix = {yes|true|no|false}
Description
Indicates whether the groups, in which a user is a member, are defined in the sameLDAP suffix as the user definition.
When a user is authenticated, the groups in which the user is a member must bedetermined in order to build a credential. Normally, all LDAP suffixes are searchedto locate the groups of which the user is a member.
Options
yes|trueThe groups are assumed to be defined in same LDAP suffix as the userdefinition. Only that suffix is searched for group membership. This
168 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
behavior can improve the performance of group lookup because only asingle suffix is searched for group membership. This option should only bespecified if group definitions are restricted to the same suffix as the userdefinition.
no|falseThe groups might be defined in any LDAP suffix.
Usage
This stanza entry is optional.
Default value
The value is not specified by default during WebSEAL configuration. When thevalue is not specified, the default value is no.
Exampleuser-and-group-in-same-suffix = yes
[local-response-macros] stanza
macro
Syntaxmacro = macro[:name]
Description
URL-encoded macros to include in the query string for all redirected managementpage requests. WebSEAL provides a default set of macros.
By default, WebSEAL uses the macro values as arguments in the generated querystring. Alternatively, you can customize the name of the arguments used in thequery string by adding a colon followed by a name value.
Options
macro URL-encoded macro.
name WebSEAL uses this custom name as an argument in the response URI. Ifyou do not provide a value for this custom name then WebSEAL defaults tousing the macro value as an argument in the response URI.
Note: For the HTTPHDR macro, the default value is HTTPHDR_<name>,where <name> is the name of the HTTP header defined in the macro. Forthe CREDATTR macro, the default value is CREDATTR_<name>, where<name> is the name of the attribute defined in the macro.
Usage
This stanza entry is optional.
Default value
None.
Stanza reference 169
Example
The following entry causes WebSEAL to use the default value USERNAME as anargument in the query string.macro = USERNAME
The following entry causes WebSEAL to use the custom value myUserName as anargument in the query string.macro = USERNAME:myUserName
[local-response-redirect] stanza
local-response-redirect-uri
Syntaxlocal-response-redirect-uri = URI
Description
URL to which management page requests are redirected.
All requests for management pages are redirected to this URL with a query stringindicating the operation requested, along with any macros (as configured in the[local-response-macros] stanza).
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [local-response-redirect:{junction_name}] stanza.
where {junction_name} refers to the junction point for a standard junction (includingthe leading / character) or the virtual host label for a virtual host junction.
Options
URI URL to which management page requests are redirected.
Usage
This stanza entry is optional.
Default value
None.
Example of a server relative URL:local-response-redirect-uri = /jct/page.html
Example of an absolute URL:local-response-redirect-uri = http://www.example.com/
170 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[logging] stanza
absolute-uri-in-request-log
Syntaxabsolute-uri-in-request-log = {yes|no}
Description
Log the absolute URI in the request log, combined log, and HTTP audit records.Adds protocol and host to the path.
Options
yes Log the absolute URI.
no Do not log the absolute URI.
Usage
This stanza entry is required.
Default value
no
Exampleabsolute-uri-in-request-log = no
agents
Syntaxagents = {yes|no}
Description
Enables or disables the agents log. This log records the contents of the User_Agent:header of each HTTP request.
Options
yes The value yes enables agents logging.
no The value no disables agents logging.
Usage
This stanza entry is required.
Default value
yes
Exampleagents = yes
Stanza reference 171
audit-mime-types
Syntaxmime-pattern = {yes|no}
Description
Determines whether WebSEAL will generate an audit event for an HTTP requestbased on the content-type of the HTTP response.
Options
yes WebSEAL will generate an audit event for a response that contains thecorresponding content MIME-type.
no WebSEAL will not generate an audit event for a response that contains thecorresponding content MIME-type.
Usage
This stanza entry is optional.
Note:
1. More specific MIME patterns take precedence over less specific MIME patterns.For example, if image/* = yes (general) but image/jpeg = no (more specific),then an HTTP response with an image MIME-type other than JPEG willgenerate an audit event; a response with a JPEG MIME-type will not generatean audit event.
2. If an HTTP response does not match any of the MIME patterns listed in thisstanza, WebSEAL will generate an audit event.
Default value
None
Exampleimage/jpeg = noimage/* = no*/* = no
audit-response-codes
Syntaxcode = {yes|no}
Description
Determines whether WebSEAL will generate an audit event for an HTTP requestbased on the response code of the HTTP response.
Options
yes WebSEAL will generate an audit event for an HTTP response that matchesthe corresponding response code.
no WebSEAL will notgenerate an audit event for an HTTP response thatmatches the corresponding response code.
172 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is optional.
Default value
None.
Example200 = no304 = no401 = yes
flush-time
Syntaxflush-time = number_of_seconds
Description
Integer value indicating the frequency, in seconds, to force a flush of log buffers.
Options
number_of_secondsInteger value indicating the frequency, in seconds, to force a flush of logbuffers. The minimum value is 1 second. The maximum value is 600seconds.
Usage
This stanza entry is optional.
Default value
20
Exampleflush-time = 20
gmt-time
Syntaxgmt-time = {yes|no}
Description
Enables or disables logging requests using Greenwich Mean Time (GMT) instead ofthe local timezone.
Options
yes A value of yes means to use GMT
no A value of no means to use the local timezone.
Stanza reference 173
Usage
This stanza entry is required.
Default value
no
Examplegmt-time = no
host-header-in-request-log
Syntaxhost-header-in-request-log = {yes|no}
Description
Log the Host header at the front of each line in the request log and the combinedlog.
Options
yes Log the Host header.
no Do not log the Host header.
Usage
This stanza entry is required.
Default value
no
Examplehost-header-in-request-log = no
log-invalid-requests
Syntaxlog-invalid-requests = {yes|no}
Description
Specifies whether or not WebSEAL logs all requests that are malformed or forsome other reason is not processed to completion.
Options
yes WebSEAL logs every request, even if a request is malformed or for someother reason is not processed to completion.
no WebSEAL logs most requests. In some cases, requests that are malformedor for some other reason are not processed to completion will not belogged. This option exists for compatibility with versions of WebSEALprior to version 6.0.
174 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
yes
Examplelog-invalid-requests = yes
max-size
Syntaxmax-size = number_of_bytes
Description
Integer value indicating the size limit of the log files. This value applies to therequest, referer, and agent logs. The size limit is also referred to as the rolloverthreshold. When the log file reaches this threshold, the original log file is renamedand a new log file with the original name is created.
Options
number_of_bytes
When the value is zero (0), no rollover log file is created.
When the value is a negative integer, the logs are rolled over daily,regardless of the size.
When the value is a positive integer, the value indicates the maximum size,in bytes, of the log file before the rollover occurs. The allowable range isfrom 1 byte to 2 gigabytes.
Usage
This stanza entry is required.
Default value
2000000
Examplemax-size = 2000000
referers
Syntaxreferers = {yes|no}
Description
Enables or disables the referers log. This log records the Referer: header of eachHTTP request.
Stanza reference 175
Options
yes The value yes enables referers logging.
no The value no disables referers logging.
Usage
This stanza entry is required.
Default value
yes
Examplereferers = yes
requests
Syntaxrequests = {yes|no}
Description
Enables or disables the requests log. This log records standard logging of HTTPrequests.
Options
yes The value yes enables requests logging.
no The value no disables requests logging.
Usage
This stanza entry is required.
Default value
yes
Examplerequests = yes
request-log-format
Syntaxrequest-log-format = directives
Description
Contains the format in which a customized request log should be created. See theIBM Security Access Manager for Web: Auditing Guide for more information.
Options
The following directives can be used:
176 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
%a Remote IP Address.
%A Local IP Address.
%b Bytes in the reply excluding HTTP headers in CLF format: '-' instead of 0when no bytes are returned.
%B Bytes in the reply excluding HTTP headers.
%{Attribute}CAttribute from the Security Access Manager credential named 'Attribute'.
%d Transaction identifier, or session sequence number.
%F Time taken to serve the request in microseconds.
%h Remote host.
%H Request protocol.
%{header-name}iContents of the Header header-name in the request.
%j The name of the junction in the request.
%l Remote logname.
%m Request method (that is, GET, POST, HEAD).
%{header-name}oContents of the Header header-name in the reply.
%p Port of the WebSEAL server the request was served on.
%q The query string (prepended with '?' or empty).
%Q Logs raw query strings that the user must decode manually.
%r First line of the request.
%R First line of the request including HTTP://HOSTNAME.
%s Status.
%t Time and date in CLF format.
%{format}tThe time and date in the given format.
%T Time taken to serve the request in seconds.
%u Remote user.
%U The URL requested.
%v Canonical ServerName of the server serving the request.
%z The path portion of the URL in decoded form.
%Z The path portion of the URL in raw form.
Usage
The request-log-format string CANNOT contain the # character.
Default value
The default of this parameter is equivalent to the normal default log output. It iscommented out by default.
Stanza reference 177
Example
Example on UNIX or Linux:request-log-format = %h %l %u %t "%r" %s %b
server-log-cfg
Syntaxserver-log-cfg = agent [parameter=value],[parameter=value]...
Description
Configures the server for logging. You can use the available parameters toconfigure the logging agents.
Options
agent Specifies the logging agent. The agent controls the logging destination forserver events. Valid agents include:v stdout
v stderr
v file
v remote
v rsyslog
Note: If you use the remote agent to send audit events to a remoteauthorization server, ensure that the destination server is configured toprocess the received events. In particular, the logcfg configuration entry inthe aznapi-configuration stanza must be set on the remote authorizationserver. You must use the following format for the category value in thislogcfg entry:remote.webseal.hostname.webseald
where
hostnameThe name of the appliance that originated the event.
For example, the following entry configures the remote authorizationserver to accept logging events from the iswga.au.ibm.com server, and sendthese events to the event.log file:logcfg = remote.webseal.iswga.au.ibm.com.webseald:file path=/var/PolicyDirector/log/event.log
The remote authorization server discards any events that originate from aserver for which there is no matching logcfg rule.
parameterThe different agents support the following configuration parameters:
Table 1. Logging agent configuration parameters
Parameter Supporting agents
buffer_size remote
compress remote
178 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Table 1. Logging agent configuration parameters (continued)
Parameter Supporting agents
dn remote
error_retry remote, rsyslog
flush_interval all
hi_water all
log_id file, rsyslog
max_event_len rsyslog
mode file
path all
port remote, rsyslog
queue_size all
rebind_retry remote, rsyslog
rollover_size file
server remote, rsyslog
ssl_keyfile rsyslog
ssl_label rsyslog
ssl_stashfile rsyslog
Note: For a complete description of the available logging agents and thesupported configuration parameters, see the Security Access Manager: AuditingGuide.
Usage
This stanza entry is required.
Default value
None.
Example
To log server events in a file called msg__webseald.log:server-log-cfg = file path=msg__webseald.log
To send server events to a remote syslog server:server-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance
[ltpa] stanza
Accept and generate LTPA cookies for authentication.
ltpa-auth
Syntaxltpa-auth = {https|https|both|none}
Stanza reference 179
Description
Enables support for LTPA cookie generation and authentication.
Options
http Enables support for http cookies.
https Disables support for https cookies.
both Enables support for both http and https cookies.
none Disables support for both http and https cookies.
Usage
This stanza entry is required.
Default value
none
Exampleltpa-auth = https
cookie-name
Syntaxcookie-name = cookie_name
Description
The name of the LTPA cookie that WebSEAL issues to clients.
Options
cookie_nameThis must be Ltpatoken2 as only LTPA version 2 cookies are supported.
Usage
This stanza entry is required.
Default value
Ltpatoken2
Examplecookie-name = Ltpatoken2
cookie-domain
Syntaxcookie-domain = domain_name
180 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
The domain of the LTPA cookie that WebSEAL issues to clients. If you do notspecify a cookie domain, WebSEAL creates the LTPA cookie as a host-only cookie.
Options
domain_nameThe domain of the LTPA cookie.
Usage
This stanza entry is required.
Default value
none
Examplecookie-domain = ibm.com
jct-ltpa-cookie-name
Syntaxjct-ltpa-cookie-name = cookie_name
Description
The name of the cookie containing the LTPA token that WebSEAL sends across thejunction to the backend server. If you do not specify a value for this item,WebSEAL uses the following default values:v LtpaToken for cookies containing LTPA tokens.v LtpaToken2 for cookies containing LTPA version 2 tokens.
WebSphere also uses these default values.
Options
cookie_nameThis name must match the LTPA cookie name that the WebSphereapplication uses on this junction.
Usage
This stanza entry is optional.
Default value
The default value for LTPA tokens is LtpaToken.
The default value for LTPA2 tokens is LtpaToken2.
Examplejct-ltpa-cookie-name = myCookieName
Stanza reference 181
keyfile
Syntaxkeyfile = keyfile_name
Description
The key file used when accessing LTPA cookies. The value must correspond to avalid LTPA key file, as generated by WebSphere.
Options
keyfile_nameName of a valid LTPA key file, as generated by WebSphere.
Usage
This stanza entry is optional.
Default value
none
Examplekeyfile = keyfile123
update-cookie
Syntaxupdate-cookie = number_of_seconds
Description
The number of seconds that pass between updates of the LTPA cookie with thelifetime of the cookie.With each request, if n seconds have passed since the lastcookie update, another update will occur. A zero value will cause the lifetimetimestamp in the LTPA cookie to be updated with each request.Negative valueswill cause the lifetime of the cookie to be set to the same value as the lifetime ofthe user session.This setting is used in an attempt to mimic the inactivity timeoutof a user session.
Note: This configuration entry affects the LTPA cookie that WebSEAL issues toclients. It is the lifetime of the cookie specified by the cookie-name configurationentry in the [ltpa] stanza.
Options
number_of_secondsThe number of seconds that pass between updates of the LTPA cookie withthe lifetime of the cookie.
Usage
This stanza entry is required.
182 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
-1
Exampleupdate-cookie = 0
use-full-dn
Syntaxuse-full-dn = {true|false}
Description
Controls whether the generated LTPA cookie contains the full DN of the user, orthe Security Access Manager short name of the user.
Options
true WebSEAL inserts the full DN of the user into the LTPA cookie.
false WebSEAL inserts the Security Access Manager short name of the user intothe LTPA cookie.
Usage
This stanza entry is optional.
Default value
true
Exampleuse-full-dn = true
[ltpa-cache] stanza
ltpa-cache-enabled
Syntaxltpa-cache-enabled = {yes|no}
Description
Enables or disables the Lightweight Third Party Authentication cache.
Options
yes A value of yes enables caching.
no A value of no disables caching.
Usage
This stanza entry is required.
Stanza reference 183
Default value
yes
Exampleltpa-cache-enabled = yes
ltpa-cache-entry-idle-timeout
Syntaxltpa-cache-entry-idle-timeout = number_of_seconds
Description
Integer value that specifies the timeout, in seconds, for cache entries that are idle.
Options
number_of_secondsInteger value that specifies the timeout, in seconds, for cache entries thatare idle. The value must be greater than or equal to zero (0). A value ofzero means that entries are not removed from the LTPA cache due toinactivity. However, they may still be removed due to either theltpa-cache-size being exceeded or the ltpa-cache-entry-lifetime stanzaentry being exceeded. WebSEAL does not impose a maximum value.
Usage
This stanza entry is required, but is ignored when LTPA caching is disabled.
Default value
600
Examplegso-cache-entry-idle-timeout = 600
ltpa-cache-entry-lifetime
Syntaxltpa-cache-entry-lifetime = number_of_seconds
Description
Integer value that specifies the lifetime, in seconds, of a LTPA cache entry.
Options
number_of_secondsInteger value that specifies the lifetime, in seconds, of a LTPA cache entry.The value must be greater than or equal to zero (0). A value of zero meansthat entries are not removed from the LTPA cache due to their entrylifetime being exceeded. However, they may still be removed due to eitherthe ltpa-cache-size being exceeded or the ltpa-cache-entry-idle-timeoutstanza entry being exceeded. WebSEAL does not impose a maximumvalue.
184 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required, but is ignored when LTPA caching is disabled.
Default value
3600
Exampleltpa-cache-entry-lifetime = 3600
ltpa-cache-size
Syntaxltpa-cache-size = number_of_entries
Description
Integer value indicating the number of entries allowed in the LTPA cache.
Options
number_of_entries
Integer value indicating the number of entries allowed in the LTPA cache.The value must be greater than or equal to zero (0). A value of zero meansthat there is no limit on the size of the LTPA cache. This is notrecommended.
WebSEAL does not impose a maximum value. Choose your maximumvalue to stay safely within the bounds of your available system memory.
Usage
This stanza entry is required, but is ignored when LTPA caching is disabled.
Default value
4096
Exampleltpa-cache-size = 4096
[mpa] stanza
mpa
Syntaxmpa = {yes|no}
Description
Enables support for multiplexing proxy agents.
Stanza reference 185
Options
yes Enables support for multiplexing proxy agents.
no Disables support for multiplexing proxy agents.
Usage
This stanza entry is required.
Default value
no
Examplempa = no
[oauth-eas] stanza
Notes:
v You can configure this stanza to support OAuth authorization decisions as partof WebSEAL requests. For more information about OAuth authorizationdecisions support, see the IBM Security Web Gateway Appliance: ConfigurationGuide for Web Reverse Proxy.
v The OAuth EAS is used for a particular object if the effective POP for the objecthas an attribute called eas-trigger, with an associated value oftrigger_oauth_eas.
apply-tam-native-policy
Syntaxapply-tam-native-policy = {true | false}
Description
Determines whether the native Security Access Manager ACL policy still takeseffect, in addition to the OAuth authorization.
Options
true The OAuth EAS checks with Security Access Manager whether the userhas permission to access the resource based on the ACL policy.
false The OAuth EAS does not check the Security Access Manager ACL policyto determine whether the user has permission to access the resource.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None.
Exampleapply-tam-native-policy = false
186 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
bad-gateway-rsp-file
Syntaxbad-gateway-rsp-file = <file_name>
Description
Specifies the file that contains the body that is used when constructing a 502 BadGateway response. This response is generated when Tivoli Federated IdentityManager fails to process the request.
Options
<file_name>The name of the 502 Bad Gateway response file.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None.
Examplebad-gateway-rsp-file = bad_gateway.html
bad-request-rsp-file
Syntaxbad-request-rsp-file = <file_name>
Description
Specifies the file that contains the body that is used when constructing a 400 BadRequest response. This response is generated when required OAuth elements aremissing from a request.
Options
<file_name>The name of the 400 Bad Request response file.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None.
Examplebad-request-rsp-file = bad_rqst.html
Stanza reference 187
cache-size
Syntaxcache-size = <number_decisions>
Description
Specifies the maximum number of OAuth 2.0 bearer token authorization decisionsto cache. This EAS has a built-in cache for storing authorization decisions so thatWebSEAL can repeatedly use the same OAuth 2.0 bearer token without sendingrepeated requests to Tivoli Federated Identity Manager.
WebSEAL can cache bearer token decisions because they do not require signing ofthe request, unlike OAuth 1.0 requests. The lifetime of the cache entry depends onthe Expires attribute that Tivoli Federated Identity Manager returns. If TivoliFederated Identity Manager does not return this attribute, WebSEAL does notcache the decision.
This EAS implements a Least Recently Used cache. The decision associated withthe least recently used bearer token is forgotten when a new bearer token decisionis cached. A cache-size of 0 disables caching of authorization decisions.
Options
<number_decisions>The maximum number of OAuth 2.0 bearer token authorization decisionsthat WebSEAL caches.
Usage
This stanza entry is optional.
Default value
The default value is 0, which disables caching of authorization decisions.
Examplecache-size = 0
cluster-name
Syntaxcluster-name = <cluster>
Description
The name of the Tivoli Federated Identity Manager cluster that hosts this OAuthservice. You must also specify a corresponding [tfim-cluster:<cluster>]stanza,which contains the definition of the cluster.
Options
<cluster>The name of the Tivoli Federated Identity Manager cluster where theOAuth service is hosted.
188 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None.
Examplecluster-name = oauth-cluster
For this example, there needs to be a corresponding [tfim-cluster:oauth-cluster]stanza to define the cluster.
default-fed-id
Syntaxdefault-fed-id = <provider_url>
Description
The Provider ID of the default OAuth federation in Tivoli Federated IdentityManager. By default, WebSEAL uses this provider ID for OAuth requests.
You can override this default provider for an individual request by including arequest parameter that has the name specified by the fed-id-param configurationentry.
Options
<provider_url>The IP address for the federation provider that WebSEAL uses for OAuthrequests. You can find the Provider ID of a federation on the federationproperties page.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None
Exampledefault-fed-id = https://localhost/sps/oauthfed/oauth10
default-mode
Syntaxdefault-mode = <oauth_mode>
Stanza reference 189
Description
The default OAuth mode that this EAS uses. The mode affects the validation ofrequest parameters and the construction of the RequestSecurityToken (RST) sent toTivoli Federated Identity Manager.
You can override this default mode for an individual request by providing a validmode value [OAuth10|OAuth20Bearer] in a request parameter. The requestparameter must have the name that is specified by the mode-param configurationentry.
Options
<oauth_mode>The OAuth mode that the OAuth EAS uses by default.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None.
Exampledefault-mode = OAuth10
fed-id-param
Syntaxfed-id-param = <request_param_name>
Description
The name of the parameter that you can include in a request to override theProvider ID that is specified by the default-fed-id configuration entry. If thisfed-id-param configuration entry is set, WebSEAL checks incoming requests for aparameter with the specified name. If this request parameter exists, WebSEAL usesthe Provider ID contained in the request rather than the default-fed-id ProviderID.
Note: You can delete this configuration entry to ensure that WebSEAL always usesthe default provider that is specified by default-fed-id.
Options
<request_param_name>The name of the request parameter whose value specifies the Provider IDfor WebSEAL to include in OAuth requests. If no such parameter exists inthe request, WebSEAL uses the Provider ID specified by default-fed-id.
Usage
This stanza entry is optional.
190 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Note: If you do not configure this stanza entry, WebSEAL always uses theprovider that is configured as the default-fed-id.
Default value
None.
Examplefed-id-param = FederationId
mode-param
Syntaxmode-param = <mode_name>
Description
The name of the parameter that you can include in a request to override the modethat is specified by the default-mode configuration entry. If this mode-paramconfiguration entry is set, WebSEAL checks incoming requests for a parameter withthe specified name. If this request parameter exists, WebSEAL uses the modecontained in the request rather than the mode specified by default-mode.
Note: You can delete this configuration entry to ensure that WebSEAL always usesthe default mode that is specified by default-mode.
Options
<mode_name>The name of the request parameter whose value specifies the mode for theOAuth EAS to use. If no such parameter exists in the request, WebSEALuses the mode specified by default-mode.
Usage
This stanza entry is optional.
Note: If you do not configure this stanza entry, WebSEAL always uses theprovider that is configured as the default-mode.
Default value
None.
Examplemode-param = mode
realm-name
Syntaxrealm-name = <realm_name>
Description
The name of the OAuth realm that is used in a 401 request for OAuth data.
Stanza reference 191
Options
<realm_name>The name of the OAuth realm.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None.
Examplerealm-name = realmOne
trace-component
Syntaxtrace-component = <component_name>
Description
The name of the Security Access Manager trace component that the OAuth EASuses.
Options
<component_name>The name of the Security Access Manager trace component.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Note: The pdweb.oauth component traces the data that passes into the OAuth EAS,which is governed by the [azn-decision-info] stanza. This trace might containsensitive information.
Default value
None.
Exampletrace-component = pdweb.oauth
unauthorized-rsp-file
Syntaxunauthorized-rsp-file = <file_name>
Description
Specifies the file that contains the body that is used when constructing a 401Unauthorized response. This response is generated when either of the followingscenarios occur:
192 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
v All OAuth data is missing from a request.v The OAuth data fails validation.
Options
<file_name>The name of the 401 Unauthorized response file.
Usage
This stanza entry is required when configuring OAuth EAS authentication.
Default value
None.
Exampleunauthorized-rsp-file = unauth_response.html
[obligations-levels-mapping] stanza
obligation
Syntax<obligation> = <authentication-level>
Description
Defines the mappings between the obligation levels that the policy decision point(PDP) returns and the WebSEAL step-up authentication levels. Include a separateentry for each obligation that runtime security services (RTSS) returns to theruntime security services EAS.
The mapping between the obligation levels and the WebSEAL authentication levelsmust be one-to-one. The user must authenticate only through the appropriateobligation mechanisms.
The runtime security services EAS maps the obligation to the authentication levelspecified in this stanza and requests WebSEAL to authenticate the user at thatlevel.
Options
<obligation>The name of the obligation that RTSS returns to the runtime securityservices EAS.
<authentication-level>The WebSEAL authentication level that the runtime security services EASincludes in the WebSEAL request. This value is a number that representsthe authentication level in the [authentication-levels] stanza. Each entryin the [authentication-levels] is assigned a number based on its positionin the list; the first entry is level 0. For more information, see the IBMSecurity Web Gateway Appliance: Configuration Guide for Web Reverse Proxyand search for specifying authentication levels.
Stanza reference 193
Usage
This stanza entry is required.
Default value
None.
Examplelife_questions=2otp=3email=4voice=5
[p3p-header] stanza
access
Syntaxaccess = {none|all|nonident|contact-and-other|ident-contact|other-ident}
Description
Specifies the type of access the user has to the information contained within andlinked to the cookie.
Options
none No access to identified data is given.
all Access is given to all identified data.
contact-and-otherAccess is given to identified online and physical contact information aswell as to certain other identified data.
ident-contactAccess is given to identified online and physical contact information. Forexample, users can access things such as a postal address.
nonidentWeb site does not collect identified data.
other-identAccess is given to certain other identified data. For example, users canaccess things such as their online account charges
Usage
This stanza entry is required.
Default value
none
Exampleaccess = none
194 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
categories
Syntaxcategories = {physical|online|uniqueid|purchase|financial|computer|navigation|interactive|demographic|content|state|political|health|preference|location|government|other-category}
Description
Specifies the type of information stored in the cookie or linked to by the cookie.When the non-identifiable stanza entry is set to yes, then no categories need beconfigured.
Options
physicalInformation that allows an individual to be contacted or located in thephysical world. For example, telephone number or address.
online Information that allows an individual to be contacted or located on theInternet.
uniqueidNon-financial identifiers, excluding government-issued identifiers, issuedfor purposes of consistently identifying or recognizing the individual.
purchaseInformation actively generated by the purchase of a product or service,including information about the method of payment.
financialInformation about an individual's finances including account status andactivity information such as account balance, payment or overdraft history,and information about an individual's purchase or use of financialinstruments including credit or debit card information.
computerInformation about the computer system that the individual is using toaccess the network. For example, IP number, domain name, browser typeor operating system.
navigationData passively generated by browsing the Web site. For example, whichpages are visited, and how long users stay on each page.
interactiveData actively generated from or reflecting explicit interactions with a serviceprovider through its site. For example, queries to a search engine, or logsof account activity.
demographicData about an individual's characteristics. For example, gender, age, andincome.
contentThe words and expressions contained in the body of a communication. Forexample, the text of email, bulletin board postings, or chat roomcommunications.
state Mechanisms for maintaining a stateful session with a user or automatically
Stanza reference 195
recognizing users who have visited a particular site or accessed particularcontent previously. For example, HTTP cookies.
politicalMembership in or affiliation with groups such as religious organizations,trade unions, professional associations and political parties.
health Information about an individual's physical or mental health, sexualorientation, use or inquiry into health care services or products, andpurchase of health care services or products
preferenceData about an individual's likes and dislikes. For example, favorite color ormusical tastes.
locationInformation that can be used to identify an individual's current physicallocation and track them as their location changes. For example, GlobalPositioning System position data.
governmentIdentifiers issued by a government for purposes of consistently identifyingthe individual.
other-categoryOther types of data not captured by the above definitions.
Usage
This stanza entry is required.
Default value
uniqueid
Examplecategories = uniqueid
disputes
Syntaxdisputes = {yes|no}
Description
Specifies whether the full P3P policy contains some information regarding disputesover the information contained within the cookie.
Options
yes The value yes means that information about disputes is contained in thefull P3P policy.
no The value no means that no information about disputes is contained in thepolicy.
Usage
This stanza entry is required.
196 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
no
Exampledisputes = no
non-identifiable
Syntaxnon-identifiable = {yes|no}
Description
Specifies that no information in the cookie, or linked to by the cookie, personallyidentifies the user.
Options
yes Data that is collected identifies the user.
no No data is collected (including Web logs), or the information collected doesnot identify the user.
Usage
This stanza entry is required.
Default value
no
Examplenon-identifiable = no
p3p-element
Syntaxp3p-element = policyref=location_of_policy_reference
Description
Specifies elements to add to the P3P header in addition to the elements specifiedby the other configuration items in this stanza. Typically this is done by referringto the location of a full XML policy.
Options
policyref=location_of_policy_referenceThe default entry points to a default policy reference located on the WorldWide Web Consortium Web site.
Usage
This stanza entry is required.
Stanza reference 197
Default value
The default entry points to a default policy reference located on the World WideWeb Consortium Web site.policyref="/w3c/p3p.xml"
Examplep3p-element = policyref="/w3c/p3p.xml"
purpose
Syntaxpurpose = {current|admin|develop|tailoring|pseudo-analysis|pseudo-decision|individual-analysis|individual-decision|contact|historical|telemarketing|other-purpose}[:[opt-in|opt-out|always]]
Description
Specifies the purpose of the information in the cookie and linked to by the cookie.
Options
currentInformation can be used by the service provider to complete the activityfor which it was provided.
admin Information can be used for the technical support of the Web site and itscomputer system.
developInformation can be used to enhance, evaluate, or otherwise review the site,service, product, or market.
tailoringInformation can be used to tailor or modify content or design of the sitewhere the information is used only for a single visit to the site.
pseudo-analysisInformation can be used to create or build a record of a particularindividual or computer that is tied to a pseudonymous identifier, withouttying identified data (such as name, address, phone number, or emailaddress) to the record. This profile will be used to determine the habits,interests, or other characteristics of individuals for purpose of research,analysis and reporting, but it will not be used to attempt to identify specificindividuals.
pseudo-decisionInformation can be used to create or build a record of a particularindividual or computer that is tied to a pseudonymous identifier, withouttying identified data (such as name, address, phone number, or emailaddress) to the record. This profile will be used to determine the habits,interests, or other characteristics of individuals to make a decision thatdirectly affects that individual, but it will not be used to attempt to identifyspecific individuals.
individual-analysisInformation can be used to determine the habits, interests, or other
198 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
characteristics of individuals and combine it with identified data for thepurpose of research, analysis and reporting.
individual-decisionInformation can be used to determine the habits, interests, or othercharacteristics of individuals and combine it with identified data to make adecision that directly affects that individual.
contactInformation can be used to contact the individual, through acommunications channel other than voice telephone, for the promotion of aproduct or service.
historicalInformation can be archived or stored for the purpose of preserving socialhistory as governed by an existing law or policy.
telemarketingInformation can be used to contact the individual though a voice telephonecall for promotion of a product or service.
other-purposeInformation may be used in other ways not captured by the abovedefinitions.
For all values except current, an additional option can be specified. The possiblevalues are:
alwaysUsers cannot opt-in or opt-out of this use of their data.
opt-in Data may be used for this purpose only when the user affirmativelyrequests this use.
opt-outData may be used for this purpose unless the user requests that it not beused in this way.
When no additional option is specified, the default value is always.
Usage
This stanza entry is required.
Default value
The default values are current and other-purpose:opt-in.
Examplepurpose = currentpurpose = other-purpose:opt-in
recipient
Syntaxrecipient = {ours|delivery|same|unrelated|public|other-recipient}[:[opt-in|opt-out|always]]
Stanza reference 199
Description
Specifies the recipients of the information in the cookie, and linked to by thecookie.
Options
ours Ourselves and/or entities acting as our agents, or entities for whom we areacting as an agent. An agent is a third party that processes data only onbehalf of the service provider.
deliveryLegal entities performing delivery services that may use data for purposesother than completion of the stated purpose.
same Legal entities following our practices. These are legal entities who use thedata on their own behalf under equable practices.
unrelatedUnrelated third parties. These are legal entities whose data usage practicesare not known by the original service provider.
public Public forums. These are public forums such as bulletin boards, publicdirectories, or commercial CD-ROM directories.
other-recipientLegal entities following different practices. These are legal entities that areconstrained by and accountable to the original service provider, but mayuse the data in a way not specified in the service provider's practices.
For all values an additional option can be specified. The possible values are:
alwaysUsers cannot opt-in or opt-out of this use of their data.
opt-in Data may be used for this purpose only when the user affirmativelyrequests this use.
opt-outData may be used for this purpose unless the user requests that it not beused in this way.
When no additional option is specified, the default value is always.
Usage
This stanza entry is required.
Default value
ours
Examplerecipient = oursrecipient = public:opt-in
remedies
Syntaxremedies = {correct|money|law}
200 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Specifies the types of remedies in case a policy breach occurs. When this entry hasno value, there is no remedy information in the P3P compact policy.
Options
correctErrors or wrongful actions arising in connection with the privacy policywill be remedied by the service.
moneyIf the service provider violates its privacy policy it will pay the individualan amount specified in the human readable privacy policy or the amountof damages.
law Remedies for breaches of the policy statement will be determined based onthe law referenced in the human readable description.
Usage
This stanza entry is required.
Default value
correct
Exampleremedies = correct
retention
Syntaxretention = {no-retention|stated-purpose|legal-requirement|business-practices|indefinitely}
Description
Specifies how long the information in the cookie or linked to by the cookie isretained.
Options
no-retentionInformation is not retained for more than a brief period of time necessaryto make use of it during the course of a single online interaction.
stated-purposeInformation is retained to meet the stated purpose, and is to be discardedat the earliest time possible.
legal-requirementInformation is retained to meet a stated purpose, but the retention periodis longer because of a legal requirement or liability.
business-practicesInformation is retained under a service provider's stated business practices.
Stanza reference 201
indefinitelyInformation is retained for an indeterminate period of time.
Usage
This stanza entry is required.
Default value
no-retention
Exampleretention = no-retention
[PAM] stanza
pam-enabled
Syntaxpam-enabled = {true|false}
Description
Enables or disables the IBM Internet Security Systems Protocol Analysis Module.The module inspects the HTTP content of selected requests, checking for potentialsecurity vulnerabilities.
Options
true Enables the Protocol Analysis Module.
false Disables the Protocol Analysis Module.
Usage
This stanza entry is required.
Default value
false
Examplepam-enabled = false
pam-max-memory
Syntaxpam-max-memory = memory_size
Description
The amount of memory, in bytes, that the IBM Internet Security Systems ProtocolAnalysis Module can use. The module uses this value to tune the size of its cachesfor the amount of available memory.
202 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
memory_size
The amount of memory, in bytes, that is available to the module.
Usage
This stanza entry is optional.
Default value
None.
Examplepam-max-memory = 16777216
pam-use-proxy-header
Syntaxpam-use-proxy-header = {true|false}
Description
Controls whether the Protocol Analysis Module uses the X-Forwarded-For headerto identify the client. This configuration item is useful if a network-terminatingproxy is located between the server and the client. If the value is set to false, themodule identifies the client based on the socket connection information.
Options
true The module uses the X-Forwarded-For header to identify the client.
false The module uses the available socket connection information to identifythe client.
Usage
This stanza entry is required.
Default value
false
Examplepam-use-proxy-header = false
pam-http-parameter
Syntaxpam-http-parameter = parameter:value
Stanza reference 203
Description
Defines specific parameters for WebSEAL to pass to the Protocol Analysis ModuleHTTP interface during initialization. For a list of valid Protocol Analysis Moduleparameters, see the module documentation at http://www.iss.net/security_center/reference/help/pam.
Note: You can specify this configuration entry multiple times, one for eachparameter.
Options
parameter:valueThe Protocol Analysis Module parameter and its assigned value.
Usage
This stanza entry is optional.
Default value
None.
Examplepam-http-parameter = param1:val1pam-http-parameter = param2:val2
pam-coalescer-parameter
Syntaxpam-coalescer-parameter = parameter:value
Description
Defines specific parameters for WebSEAL to pass to the Protocol Analysis Modulecoalescer interface during initialization. The Protocol Analysis Module uses thisinterface to combine module-related issues into a single event. For a list of validProtocol Analysis Module parameters, see the module documentation athttp://www.iss.net/security_center/reference/help/pam.
Note: You can specify this configuration entry multiple times, one for eachparameter.
Options
parameter:valueThe Protocol Analysis Module parameter and its assigned value.
Usage
This stanza entry is optional.
Default value
None.
204 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Examplepam-coalescer-parameter = combine:on
pam-log-cfg
Syntaxpam-log-cfg = agent [parameter=value],[parameter=value]...
Description
Configures the IBM Internet Security Systems Protocol Analysis Module forlogging. You can use the available parameters to configure the logging agents.
Options
agent Specifies the logging agent. The agent controls the logging destination forserver events. Valid agents include:v stdout
v stderr
v file
v remote
v rsyslog
parameterThe different agents support the following configuration parameters:
Table 2. Logging agent configuration parameters
Parameter Supporting agents
buffer_size remote
compress remote
dn remote
error_retry remote, rsyslog
flush_interval all
hi_water all
log_id file, rsyslog
max_event_len rsyslog
mode file
path all
port remote, rsyslog
queue_size all
rebind_retry remote, rsyslog
rollover_size file
server remote, rsyslog
ssl_keyfile rsyslog
ssl_label rsyslog
ssl_stashfile rsyslog
Stanza reference 205
Note: For a complete description of the available logging agents and thesupported configuration parameters, see the IBM Security Access Manager for Web:Auditing Guide.
Usage
This stanza entry is required.
Default value
None.
Example
To send logging from the Protocol Analysis Module to a file called pam.log:pam-log-cfg = file path=pam.log
To send logging from the module to a remote syslog server:pam-log-cfg = rsyslog server=timelord,port=514,log_id=webseal-instance
pam-log-audit-events
Syntaxpam-log-audit-events = {true|false}
Description
Specifies whether audit events are sent to the Protocol Analysis Module log file.
Note: You can use the pam-log-cfg entry in the [PAM] stanza to configure the logfile for the module.
Options
true The Protocol Analysis Module sends audit events to the log file.
Note: This setting dramatically increases the number of logged events.
false The Protocol Analysis Module does not send audit events to the log file.
Usage
This stanza entry is required.
Default value
false
Examplepam-log-audit-events = false
pam-disabled-issues
Syntaxpam-disabled-issues = list_of_issues
206 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Specifies a comma-separated list of Protocol Analysis Module issues to disable. Bydefault, all Protocol Analysis Module issues are enabled.
Options
list_of_issuesA comma-separated list of Protocol Analysis Module issues. The moduledisables each issue in the list.
Usage
This stanza entry is optional.
Default value
None.
Example
The following entry disables Ace_Filename_Overflow andHTTPS_Apache_ClearText_DoS.pam-disabled-issues = 2121050,2114033
pam-resource-rule
Syntaxpam-resource-rule = [+|-]{URI}
Description
Specifies the rules that WebSEAL uses to determine whether to pass a particularresource down to the Protocol Analysis Module. WebSEAL examines each rule insequence until a match is found. The first successful match determines whetherWebSEAL passes the request to the module. WebSEAL does not pass the request tothe module layer if no match is found.
You can define multiple resource rules. Each entry has the format: [+|-]{URI}. Forexample, -*.gif.
Options
+ Configures WebSEAL to pass matching requests to the Protocol AnalysisModule layer.
- Configures WebSEAL not to pass matching requests to the ProtocolAnalysis Module layer.
{URI} Contains a pattern that WebSEAL uses to match against the URI that isfound in the request. You can use the wildcard characters * and ?.
Usage
This stanza entry is optional.
Stanza reference 207
Default value
None.
Examplepam-resource-rule = -*.gifpam-resource-rule = +*.html
[pam-resource:<URI>] stanza
You can use this stanza to customize the Protocol Analysis Module processing forindividual resources and events. The <URI> value contains a pattern thatWebSEAL can match against the URI that is found in the request. You can use thewildcard characters * and ?. For example, [pam-resource:test.html] or[pam-resource:*.js].
pam-issue
Syntaxpam-issue = action
Description
You can use the entries in this stanza to control the processing of certainmodule-related events.
Options
pam-issueContains a pattern, which WebSEAL uses to match a Protocol AnalysisModule issue. You can use the wildcard characters * and ?.
action The action to undertake for the issue. The action can be either of thefollowing values:
block Blocks the connection for a specified number of seconds. Forexample, block:30.
ignore Ignores the issue and continues to process the request.
Usage
This stanza entry is required.
Default value
None.
Example212105? = block:02119002 = block:20
208 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[preserve-cookie-names] stanza
name
Syntaxname = cookie_name
Description
List of specific cookie names that WebSEAL must not modify.
WebSEAL, by default, modifies the names of cookies returned in responses fromjunctions created with pdadmin using –j flag. WebSEAL also by default modifiesthe name of cookies listed in the junction mapping table (JMT). This defaultmodification is done to prevent naming conflicts with cookies returned by otherjunctions.
When a front-end application depends on the names of specific cookies, theadministrator can disable the modification of cookie names for those specificcookies. The administrator does this by listing the cookies in this stanza.
Options
cookie_nameWhen entering a value for cookie_name, use ASCII characters.
Usage
This stanza entry is optional.
Default value
There are no cookie names set by default.
ExampleName = JSESSIONID
[process-root-filter] stanza
root
Syntaxroot = pattern
Description
Specifies the patterns for which you want root junction requests processed at theroot junction when process-root-requests = filter.
Options
pattern Values for pattern must be standard WebSEAL wildcard patterns.
Stanza reference 209
Usage
Entries in this stanza are required when process-root-requests = filter.
Default valueroot = /index.htmlroot = /cgi-bin*
Exampleroot = /index.htmlroot = /cgi-bin*
[reauthentication] stanza
reauth-at-any-level
Syntaxreauth-at-any-level = {yes|no}
Description
Controls whether a different authentication level or mechanism is permitted duringa reauthentication operation.
Options
yes During a reauthentication operation, a user can be authenticated using adifferent authentication level or mechanism from that which is currentlyheld by the user. The user's new credential replaces the old one.
Note: If this configuration option is set to yes, the credential can changeone or more times during the lifetime of the session. Also, the credentialwill always be updated upon a successful reauthentication regardless ofthe existing authentication level of the credential.
no During a reauthentication operation, a user can only be authenticated atthe same authentication level or mechanism as the user's current credential.
Usage
This stanza entry is required.
Default value
no
Examplereauth-at-any-level = no
reauth-extend-lifetime
Syntaxreauth-extend-lifetime = number_of_seconds
210 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Integer value expressing the time in seconds that the credential cache timer shouldbe extended to allow clients to complete a reauthentication.
Options
number_of_secondsWhen the value is zero (0), the lifetime timer is not extended. WebSEALimposes no maximum. The maximum value is limited only by the integerdata type.
Usage
This stanza entry is required.
Default value
0
Examplereauth-extend-lifetime = 0
reauth-for-inactive
Syntaxreauth-for-inactive = {yes|no}
Description
Enables WebSEAL to prompt users to reauthenticate when their entry in theWebSEAL credential cache has timed out due to inactivity.
Options
yes Enable reauthentication.
no Disable reauthentication.
Usage
This stanza entry is required.
Default value
no
Examplereauth-for-inactive = no
reauth-reset-lifetime
Syntaxreauth-reset-lifetime = {yes|no}
Stanza reference 211
Description
Enables WebSEAL to reset the lifetime timer for WebSEAL credential cache entriesfollowing successful reauthentication.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
no
Examplereauth-reset-lifetime = no
terminate-on-reauth-lockout
Syntaxterminate-on-reauth-lockout = {yes|no}
Description
Specifies whether or not to remove the session cache entry of a user who reachesthe max-login-failures policy limit during reauthentication.
Options
yes When the maximum number of failed login attempts (specified by themax-login-failures policy) is reached during reauthentication, the user islogged out and the user's session is removed.
no
When the maximum number of failed login attempts (specified by themax-login-failures policy) is reached during reauthentication, the user islocked out as specified by the disable-time-interval setting, and notified ofthe lockout as specified by the late-lockout-notification setting. The user isnot logged out and the initial login session is still valid. The user can stillaccess other resources that are not protected by a reauthn POP.
Usage
This stanza entry is required.
Default value
yes
Exampleterminate-on-reauth-lockout = yes
212 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
[replica-sets] stanza
replica-set
Syntaxreplica-set = replica_set_name
Description
If WebSEAL is configured to use the SMS for session storage, the WebSEAL serverjoins each of the replica sets listed in this stanza. The entries listed here must bereplica sets configured on the SMS.
Options
replica_set_nameReplica set name.
Usage
This stanza entry is optional.
Default value
None.
Examplereplica-set = setA
[rtss-eas] stanza
You can use the rtss-eas configuration stanza to configure the EAS thatcommunicates with the RBA server. The runtime security services EAS is used fora particular object if the effective POP for the object has an attribute calledeas-trigger with an associated value of trigger_rba_eas.
apply-tam-native-policy
Syntaxapply-tam-native-policy = {true | false}
Description
Determines whether the IBM Security Access Manager for Web ACL policy takeseffect.
Options
true Runtime security services EAS checks with Security Access Managerwhether the user has permission to access the resource based on the ACLpolicy.
false Runtime security services EAS does not check the Security Access ManagerACL policy to determine whether the user has permission to access theresource.
Stanza reference 213
Usage
This stanza entry is required.
Default value
None.
Exampleapply-tam-native-policy = true
audit-log-cfg
Syntaxaudit-log-cfg = <agent>[<parameter>=<value>],[<parameter>=<value>],...
Description
Configures audit logging for the runtime security service. You can use the availableparameters to configure the logging agents.
Options
<agent>Specifies the logging agent. The agent controls the logging destination forserver events. Valid agents include:v stdout
v stderr
v file
v remote
v rsyslog
<parameter>The different agents support the following configuration parameters:
Table 3. Logging agent configuration parameters
Parameter Supporting agents
buffer_size remote
compress remote
dn remote
error_retry remote, rsyslog
flush_interval all
hi_water all
log_id file, rsyslog
max_event_len rsyslog
mode file
path all
port remote, rsyslog
queue_size all
rebind_retry remote, rsyslog
214 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Table 3. Logging agent configuration parameters (continued)
Parameter Supporting agents
rollover_size file
server remote, rsyslog
ssl_keyfile rsyslog
ssl_label rsyslog
ssl_stashfile rsyslog
Note: For a complete description of the available logging agents and thesupported configuration parameters, see the Security Access Manager: AuditingGuide.
Usage
This stanza entry is optional.
Note: You must configure this attribute if you want WebSEAL to log runtimesecurity audit events. If there is no value set, then WebSEAL does not log anyaudit events for the runtime security service.
Default value
None.
Example
To log audit events in a file called rtss-audit.log:audit-log-cfg = file path=/tmp/rtss-audit.log,flush_interval=20,rollover_size=2000000,queue_size=48
To send audit logs to STDOUT:audit-log-cfg = stdout
cluster-name
Syntaxcluster-name = <cluster_name>
Description
The name of the runtime security services SOAP cluster that hosts this runtimesecurity SOAP service. You must also specify a corresponding[rtss-cluster:<cluster>] stanza, which contains the definition of the cluster.
Options
<cluster_name>The name of the runtime security services SOAP cluster where the runtimesecurity SOAP service is hosted.
Usage
This stanza entry is required.
Stanza reference 215
Default value
None.
Examplecluster-name = cluster1
For this example, there needs to be a corresponding [rtss-cluster:cluster1] stanza todefine the cluster.
context-id
Syntaxcontext-id = <service_name>
Description
Specifies the context-id that the runtime security services EAS uses when sendingXACML requests to runtime security services (RTSS). This value must match theservice name of the deployed policy.
Note: If the context-id parameter is not set, it defaults to the WebSEAL servername.
Options
<service_name>The context-id that EAS uses to send XACML requests to RTSS.
Usage
This stanza entry is optional.
Default value
If there is no value provided for this parameter, it defaults to the WebSEAL servername.
Examplecontext-id = webseal.ibm.com
trace-component
Syntaxtrace-component = <component_name>
Description
Specifies the name of the Security Access Manager trace component that the EASuses.
Options
<component_name>The name of the Security Access Manager trace component.
216 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Note: The configured component traces the data that passes into the runtimesecurity services EAS, which is governed by the [azn-decision-info] stanza. Thistrace might contain sensitive information.
Default value
None.
Exampletrace-component = pdweb.rtss
[rtss-cluster:<cluster>] stanza
This stanza contains the configuration entries for the runtime security servicesSOAP servers.
basic-auth-user
Syntaxbasic-auth-user = <user_name>
Description
Specifies the name of the user for WebSEAL to include in the basic authenticationheader when communicating with the runtime security services SOAP server.
Options
<user_name>The user name for WebSEAL to include in the basic authentication header.
Usage
This stanza entry is optional.
Note: Configure this entry if the runtime security services SOAP server isconfigured to require basic authentication.
Default value
None.
Examplebasic-auth-user = userA
basic-auth-passwd
Syntaxbasic-auth-passwd = <password>
Stanza reference 217
Description
Specifies the password for WebSEAL to include in the basic authentication headerwhen communicating with the runtime security services SOAP server.
Options
<password>The password that WebSEAL includes in the basic authentication header.
Usage
This stanza entry is optional.
Note: Configure this entry if the runtime security services SOAP server isconfigured to require basic authentication.
Default value
None.
Examplebasic-auth-passwd = password
handle-idle-timeout
Syntaxhandle-idle-timeout = <number>
Description
Specifies the length of time, in seconds, before an idle handle is removed from thehandle pool cache.
Options
<number>Length of time, in seconds, before an idle handle is removed from thehandle pool cache.
Usage
This stanza entry is required.
Default value
None.
Examplehandle-idle-timeout = 240
handle-pool-size
Syntaxhandle-pool-size = <number>
218 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
The maximum number of cached handles that WebSEAL uses to communicate withruntime security services SOAP.
Options
<number>The maximum number of handles that WebSEAL uses for runtime securityservices SOAP communication.
Usage
This stanza entry is required.
Default value
None.
Examplehandle-pool-size = 10
server
Syntaxserver = {[0-9],}<URL>
Description
Specifies a priority level and URL for each runtime security services SOAP serverthat is a member of this cluster. Multiple server entries can be specified for a givencluster for failover and load balancing.
Options
[0-9] A digit, 0-9, that represents the priority of the server in the cluster (9 beingthe highest, 0 being the lowest). If the priority is not specified, a priority of9 is assumed.
Note: There can be no space between the comma (,) and the URL. If nopriority is specified, the comma is omitted.
<URL>A well-formed HTTP or HTTPS uniform resource locator for the runtimesecurity services (RTSS).
Usage
This stanza entry is required.
Default value
None.
Exampleserver = 9,http://localhost:9080/rtss/authz/services/AuthzService
Stanza reference 219
ssl-fips-enabled
Syntaxssl-fips-enabled = {yes|no}
Description
Determines whether Federal Information Process Standards (FIPS) mode is enabledwith runtime security services SOAP.
Note: If no configuration entry is present, the setting from the global setting,determined by the Access Manager policy server, takes effect.
Options
yes FIPS mode is enabled.
no FIPS mode is disabled.
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL. That is, at least one server
entry specifies a URL that uses the HTTPS protocol.v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [rtss-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Note: If you want to use a FIPS level that is different to the Access Manager policyserver, edit the configuration file and specify a value for this entry.
Examplessl-fips-enabled = yes
ssl-keyfile
Syntaxssl-keyfile = <file_name>
Description
The name of the key database file that houses the client certificate for WebSEAL touse.
Options
<file_name>The name of the key database file that houses the client certificate forWebSEAL to use.
220 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL. That is, at least one server
entry specifies a URL that uses the HTTPS protocol.v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [rtss-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Examplessl-keyfile = file_name
ssl-keyfile-label
Syntaxssl-keyfile-label = <label_name>
Description
The label of the client certificate in the key database.
Options
<label_name>Client certificate label name.
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL. That is, at least one server
entry specifies a URL that uses the HTTPS protocol.v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [rtss-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Examplessl-keyfile-label = label_name
Stanza reference 221
ssl-keyfile-stash
Syntaxssl-keyfile-stash = <file_name>
Description
The name of the password stash file for the key database file.
Options
<file_name>The name of the password stash file for the key database file.
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL. That is, at least one server
entry specifies a URL that uses the HTTPS protocol.v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [rtss-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Examplessl-keyfile-stash = file_name
ssl-valid-server-dn
Syntaxssl-valid-server-dn = <DN-value>
Description
Specifies the distinguished name of the server (obtained from the server SSLcertificate) that WebSEAL can accept.
Options
<DN-value>The distinguished name of the server (obtained from the server SSLcertificate) that WebSEAL accepts. If no value is specified, then WebSEALconsiders all domain names valid. You can specify multiple domain namesby including multiple ssl-valid-server-dn configuration entries.
Usage
This stanza entry is required if both of the following conditions are true:
222 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
v One or more of the cluster server entries use SSL. That is, at least one serverentry specifies a URL that uses the HTTPS protocol.
v A certificate is required other than the default certificate used by WebSEALwhen communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [rtss-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Examplessl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US
timeout
Syntaxtimeout = <seconds>
Description
The length of time (in seconds) to wait for a response from runtime securityservices SOAP.
Options
<seconds>The length of time (in seconds) to wait for a response from runtimesecurity services SOAP.
Usage
This stanza entry is required.
Default value
None.
Exampletimeout = 240
[script-filtering] stanza
hostname-junction-cookie
Syntaxhostname-junction-cookie = {yes|no}
Description
Enables WebSEAL to uniquely identify the cookie used for resolving unfilteredlinks. This is used when another WebSEAL server has created a junction to this
Stanza reference 223
WebSEAL server, using a WebSEAL to WebSEAL junction.
Options
yes Enable.
no Disable.
Usage
This stanza entry is optional, but it is included by default in the configuration file.
Default value
no
Examplehostname-junction-cookie = no
rewrite-absolute-with-absolute
Syntaxrewrite-absolute-with-absolute = {yes|no}
Description
Enables WebSEAL to rewrite absolute URLs with new absolute URLs that containthe protocol, host, and port (optionally) that represent how the user accessed theWebSEAL server.
Options
yes Enable.
no Disable.
Usage
This stanza entry is optional.
Default value
There is no default value, but if the entry is not specified in this configuration file,WebSEAL assumes the value is no.
Examplerewrite-absolute-with-absolute = no
script-filter
Syntaxscript-filter = {yes|no}
Description
Enables or disables script filtering support. When enabled, WebSEAL can filterabsolute URLs encountered in scripts such as JavaScript.
224 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes A value of yes means enabled.
no A value of no means disabled.
Usage
This stanza entry is optional, but is included by default.
Default value
When it is not declared, the value for the script-filter functionality is no by default.
Examplescript-filter = no
[server] stanza
allow-shift-jis-chars
Syntaxallow-shift-jis-chars = {yes|no}
Description
Specifies whether junctions created using -w will allow all Shift-JIS multibytecharacters in junction file and path names.
Options
yes Junctions created using -w will allow all Shift-JIS multibyte characters injunction file and path names.
no Junction file and path names using Shift-JIS multibyte characters containingthe single byte character '\' will be rejected.
Usage
This stanza entry is required.
Default value
no
Exampleallow-shift-jis-chars = no
allow-unauth-ba-supply
Syntaxallow-unauth-ba-supply = {yes|no}
Stanza reference 225
Description
This parameter determines access to -b supply junctions by unauthenticated users.By default, unauthenticated users are required to login before accessing anyresource located on a junctioned server where that junction was created with the -bsupply argument.
Options
yes When allow-unauth-ba-supply is set to yes, unauthenticated users canaccess -b supply junctions. The basic authentication header supplied byWebSEAL in the forwarded request contains the string unauthenticated forthe value of the header.
no When allow-unauth-ba-supply is set to no, unauthenticated users cannotaccess -b supply junctions. Users receive a login prompt.
Usage
This stanza entry is required.
Default value
no
Exampleallow-unauth-ba-supply = no
allow-unsolicited-logins
Syntaxallow-unsolicited-logins = {yes | no}
Description
This parameter controls whether WebSEAL accepts unsolicited authenticationrequests. If this parameter is set to no, WebSEAL accepts a login request only ifWebSEAL sent the login form to the client to prompt authentication.
Options
yes When allow-unsolicited-logins is set to yes, WebSEAL accepts unsolicitedlogins.
no When allow-unsolicited-logins is set to no, WebSEAL does not acceptunsolicited logins. This setting ensures that WebSEAL always issues a loginform to the client as part of the authentication process.
Usage
This stanza entry is optional.
Default value
yes
226 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleallow-unsolicited-logins = yes
auth-challenge-type
Syntaxauth-challenge-type = list
Description
Contains a comma-separated list of authentication types that is used whenchallenging a client for authentication information.
Each authentication type can be customized for particular user agent strings. Formore information about authentication challenges based on the user agent, see theIBM Security Web Gateway Appliance: Configuration Guide for Web Reverse Proxy.
You can customize this configuration item for a particular junction by adding theadjusted configuration item to a [server:{jct_id}] stanza.
where {jct-id} refers to the junction point for a standard junction (including theleading / character) or the virtual host label for a virtual host junction.
Options
list A comma-separated list of authentication types that is used whenchallenging a client for authentication information. The supportedauthentication types include:v bav formsv certv eai
The corresponding authentication configuration entry (for example,ba-auth) must be enabled for each specified authentication challenge type.
Each authentication type can also be qualified with a set of rules to specify theuser agents that receive a given challenge type. These rules are separated bysemicolons and placed inside square brackets preceding the authentication type.Each rule consists of a plus (+) or minus (-) symbol to indicate inclusion orexclusion, and the pattern to match on. The pattern can include:v Alphanumeric charactersv Spacesv Periods (.)v Wildcard characters, such as, question mark (?) and asterisk (*)
Usage
This stanza entry is optional.
Default value
By default, the list of authentication challenge types matches the list of configuredauthentication mechanisms.
Stanza reference 227
auth-challenge-type = baauth-challenge-type = forms
Exampleauth-challenge-type = ba, formsauth-challenge-type = [-msie;+ms]ba, [+mozilla*;+*explorer*]forms
cache-host-header
Syntaxcache-host-header = {yes|no}
Description
This configuration option determines whether WebSEAL caches the host andprotocol of the original request.
By default, when caching an original request, WebSEAL only caches the URL. Thatis, WebSEAL does not cache the host and protocol of the original request. In thiscase, when returning a redirect to the original URL, WebSEAL simply redirects tothe current host. This causes problems if a request for a protected resource on onevirtual host, hostA, results in an authentication operation being processed on adifferent virtual host, hostB. In this case, the client is incorrectly redirected to hostBrather than hostA. This behavior can be corrected by enabling this stanza entry sothat WebSEAL can cache the host and protocol of the original request to be usedfor redirection.
Options
yes WebSEAL caches the host and protocol of the original request in additionto the URL. In this case:v Both the host and protocol are cached and used in redirects. They cannot
be separately managed.v The protocol is not cached if the host header is not present.v Requests will only be recovered from the cache if the protocol, the host
and the URL all match the original request.
Limitations associated with this caching behavior:v The contents of the existing URL macro will not include the protocol and
host. No new macros have been added to represent these elements.v It is not possible to specify a protocol and host when a switch user
administrator specifies a URL.
no WebSEAL only caches the URL associated with the original request andredirects to the current host.
Usage
This stanza entry is optional.
Default value
no
Examplecache-host-header = yes
228 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
capitalize-content-length
Syntaxcapitalize-content-length = {yes|no}
Description
This parameter determines whether WebSEAL uses capitalized first letters in thecontent-length header. That is, whether the name of the HTTP content-lengthheader is Content-Length or content-length.
NOTE: The Documentum client application expects the name of the HTTPcontent-length header to be Content-Length, with a capitalized "C" and "L".
Options
yes WebSEAL uses the Documentum-compliant header name Content-Length.
no WebSEAL used all lower case for the content-length header. That is,content-length.
Usage
This stanza entry is optional.
Default value
no
Examplecapitalize-content-length = yes
client-connect-timeout
Syntaxclient-connect-timeout = number_of_seconds
Description
After the initial connection handshake has occurred, this parameter dictates howlong ( in seconds) WebSEAL holds the connection open for the initial HTTP orHTTPS request.
Options
number_of_secondsMust be a positive integer. Other values have unpredictable results andshould not be used. Maximum allowed value: 2147483647.
Usage
This stanza entry is required.
Default value
120
Stanza reference 229
Exampleclient-connect-timeout = 120
chunk-responses
Syntaxchunk-responses = {yes|no}
Description
Enables WebSEAL to write chunked data to HTTP/1.1 clients. his can improveperformance by allowing connections to be reused even when the exact responselength is not known before the response is written.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
yes
Examplechunk-responses = yes
concurrent-session-threads-hard-limit
Syntaxconcurrent-session-threads-hard-limit = number_of_threads
Description
The maximum number of concurrent threads that a single user session canconsume. When a user session reaches its thread limit, WebSEAL stops processingany new requests for the user session and returns an error to the client.
If you do not specify a value for this entry, there is no limit to the number ofconcurrent threads that a user session can consume.
Options
number_of_threads
The maximum number of concurrent threads that a single user session canconsume before WebSEAL returns an error.
Usage
This stanza entry is optional.
230 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
Unlimited.
Exampleconcurrent-session-threads-hard-limit = 10
concurrent-session-threads-soft-limit
Syntaxconcurrent-session-threads-soft-limit = number_of_threads
Description
The maximum number of concurrent threads that a single user session canconsume before WebSEAL generates warning messages. WebSEAL continuesprocessing requests for this session until it reaches the configuredconcurrent-session-threads-hard-limit (also in the [server] stanza).
Options
number_of_threads
Integer value representing the maximum number of concurrent threadsthat a single session can consume before WebSEAL generates warningmessages.
Usage
This stanza entry is optional.
Default value
Unlimited.
Exampleconcurrent-session-threads-soft-limit = 5
connection-request-limit
Syntaxconnection-request-limit = number_of_requests
Description
Specifies the maximum number of requests that will be processed on a singlepersistent connection.
Options
number_of_requestsThe maximum number of requests that will be processed on a singlepersistent connection.
Stanza reference 231
Usage
This stanza entry is required.
Default value
100
Exampleconnection-request-limit = 100
cope-with-pipelined-request
Syntaxcope-with-pipelined-request = {yes|no}
Description
WebSEAL does not support pipelined requests from browsers. If this option is setto yes, when WebSEAL detects pipelined requests it will close the connection andinform the browser that is should re-send the pipelined requests in a normalmanner. This parameter should always be set to yes unless the previous WebSEALbehavior is required.
Options
yes Enable.
no Disable.
Usage
This stanza entry is required.
Default value
yes
Examplecope-with-pipelined-request = yes
decode-query
Syntaxdecode-query = {yes|no}
Description
Validates the query string in requests according to the utf8-qstring-support-enabled parameter.
Options
yes When decode-query is set to yes WebSEAL validates the query string inrequests according to the utf8-qstring-support-enabled parameter.Otherwise, WebSEAL does not validate the query string.
232 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
no When decode-query is set to no, then dynurl must be disabled.
Usage
This stanza entry is required.
Default value
yes
Exampledecode-query = yes
disable-timeout-reduction
Syntaxdisable-timeout-reduction = {yes|no}
Description
By default, WebSEAL automatically reduces the timeout duration for threads as thenumber of in-use worker threads increases. The timeout duration is the maximumlength of time that a persistent connection with the client can remain inactivebefore WebSEAL terminates the connection.
This configuration option determines whether WebSEAL reduces the timeoutduration to help control the number of active worker threads. This option isavailable on all platforms.
Options
yes Disables the timeout reduction done by WebSEAL as the number of workerthreads in-use increases.
no WebSEAL performs timeout reduction as the number of worker threadsin-use increases.
Usage
This stanza entry is optional.
Default value
no
Exampledisable-timeout-reduction = yes
See also
“max-file-descriptors” on page 245
double-byte-encoding
Syntaxdouble-byte-encoding = {yes|no}
Stanza reference 233
Description
Specifies whether WebSEAL assumes that encoded characters within URLs arealways encoded in Unicode, and do not contain UTF-8 characters.
Options
yes WebSEAL assumes that encoded characters within URLs are alwaysencoded in Unicode, and do not contain UTF-8 characters.
no WebSEAL does not assume that encoded characters within URLs arealways encoded in Unicode, and do not contain UTF-8 characters.
Usage
This stanza entry is required.
Default value
no
Exampledouble-byte-encoding = no
dynurl-allow-large-posts
Syntaxdynurl-allow-large-posts = {yes|no}
Description
Allows or disallows POST requests larger than the current value for the stanzaentry request-body-max-read in the [server] stanza.
Options
yes When set to yes, WebSEAL compares only up to request-body-max-readbytes of POST request to the URL mappings contained in dynurlconfiguration file (dynurl.conf).
no When set to no, WebSEAL disallows POST requests with a body largerthan request-body-max-read.
Usage
This stanza entry is required.
Default value
no
Exampledynurl-allow-large-posts = no
234 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
dynurl-map
Syntaxdynurl-map = file_name
Description
Specifies the file that contains mappings for URLs to protected objects.
Options
file_nameThe name of the file that contains mappings for URLs to protected objects.
Usage
This stanza entry is optional.
Default value
None, but this entry is usually configured to dynurl.conf.
Exampledynurl-map = dynurl.conf
enable-IE6-2GB-downloads
Syntaxenable-IE6-2GB-downloads = {yes|no}
Description
Allows you to disable the HTTP Keep-Alives Enabled option for responses sentback to Internet Explorer, version 6, client browsers. The primary purpose of this isto allow WebSEAL to mimic the Internet Information Services workaroundpublished at http://support.microsoft.com/kb/298618. This will allow clientsusing Microsoft Internet Explorer, version 6.0, to download files greater than 2GB,but less than 4GB.
NOTE:
v This stanza entry is not necessary for Internet Explorer 7 or for othernon-Microsoft browsers.
v Enabling this workaround will cause WebSEAL to not use persistent connectionsfor Internet Explorer, version 6, client connections when the data to be returnedin the response is >= 2GB in length.
Options
yes Disables the HTTP Keep-Alives Enabled option, allowing clients usingInternet Explorer, version 6, to download files greater than 2GB, but lessthan 4GB.
no The HTTP Keep-Alives Enabled is not disabled.
Stanza reference 235
Usage
This stanza entry is optional.
Default value
no
Exampleenable-IE6-2GB-downloads = yes
filter-nonhtml-as-xhtml
Syntaxfilter-nonhtml-as-xhtml = {yes|no}
Description
Enable tag-based filtering of static URLs for new MIME types added to the[filter-content-types] stanza.
Options
yes Enable tag-based filtering of static URLs for new MIME types added to the[filter-content-types] stanza
no Disable tag-based filtering of static URLs for new MIME types added tothe [filter-content-types] stanza
Usage
This stanza entry is required.
Default value
no
Examplefilter-nonhtml-as-xhtml = no
force-tag-value-prefix
Syntaxforce-tag-value-prefix = {yes|no}
Description
Determines whether each attribute name set in a junction object's HTTP-Tag-Valueis automatically prefixed with "tagvalue_" before it is placed in the credential. Thisprohibits access to credential attributes that do not have names beginning with"tagvalue_" such as AUTHENTICATION_LEVEL. When this options set to no, theautomatic prefixing of "tagvalue_" will not occur so that all credential attributescan be specified in HTTP-Tag-Value.
236 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes Enable the automatic prefixing of "tagvalue_" to each attribute name set ina junction object's HTTP-Tag-Value.
no Disable the automatic prefixing of "tagvalue_" so that all credentialattributes can be specified in HTTP-Tag-Value.
Usage
This stanza entry is required.
Default value
yes
Exampleforce-tag-value-prefix = yes
http
Syntaxhttp = {yes|no}
Description
Specifies whether HTTP requests will be accepted by the WebSEAL server. Thisvalue is set by the administrator during WebSEAL server configuration.
Options
yes Accept HTTP requests.
no Do not accept HTTP requests.
Usage
This stanza entry is required.
Default value
no
Examplehttp = yes
http-method-disabled-local
Syntaxhttp-method-disabled-local = [HTTP_methods]
Description
Specifies the HTTP methods that WebSEAL blocks when processing HTTP requestsfor local resources. By default, WebSEAL blocks the TRACE HTTP method.
Stanza reference 237
Options
HTTP_methodsA comma-separated list of HTTP methods that are blocked whenrequesting local resources.
Usage
This stanza entry is required.
Default value
TRACE
Examplehttp-method-disabled-local = TRACE
http-method-disabled-remote
Syntaxhttp-method-disabled-remote = [HTTP_methods]
Description
Specifies the HTTP methods that WebSEAL blocks when processing HTTP requestsfor junctioned resources. By default, WebSEAL blocks the TRACE HTTP method.
Options
HTTP_methodsA comma-separated list of HTTP methods that are blocked whenrequesting remote resources.
Usage
This stanza entry is required.
Default value
TRACE
Examplehttp-method-disabled-remote = TRACE
http-port
Syntaxhttp-port = port_number
Description
Port on which WebSEAL listens for HTTPS requests. This value is set duringWebSEAL configuration. When the default HTTP port is already in use, WebSEALconfiguration suggests the next available (unused) port number.
238 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
port_numberThe administrator can modify this number. Valid values include any portnumber not already in use on the host.
Usage
This stanza entry is required.
Default value
80
Examplehttp-port = 80
https
Syntaxhttps = {yes|no}
Description
Specifies whether HTTPS requests will be accepted by the WebSEAL server. Thisvalue is set by the administrator during WebSEAL server configuration.
Options
yes Accept HTTPS requests.
no Do not accept HTTPS requests.
Usage
This stanza entry is required.
Default value
no
Examplehttps = yes
https-port
Syntaxhttps-port = port_number
Description
Port on which WebSEAL listens for HTTPS requests. This value is set duringWebSEAL configuration. When the default port is already in use, WebSEALconfiguration suggests the next available (unused) port number.
Stanza reference 239
Options
port_numberThe administrator can modify this number. Valid values include any portnumber not already in use on the host.
Usage
This stanza entry is required.
Default value
443
Examplehttps-port = 443
ignore-missing-last-chunk
Syntaxignore-missing-last-chunk = {yes|no}
Description
Controls whether WebSEAL ignores a missing last chunk in a data-stream from abackend server that is using chunked transfer-encoding.
Options
yes WebSEAL will ignore a missing last-chunk in a data-stream from abackend server that is using chunked transfer-encoding. This matches thebehavior in prior releases of WebSEAL.
no WebSEAL will RST (reset) the connection to the front-end browser if thelast-chunk is not present.
Usage
This stanza entry is optional.
Default value
no
Exampleignore-missing-last-chunk = yes
intra-connection-timeout
Syntaxintra-connection-timeout = number_of_seconds
Description
This parameter affects request and response data sent as two or more fragments.The parameter specifies the timeout (in seconds) between each request data
240 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
fragment after the first data fragment is received by WebSEAL. The parameter alsogoverns the timeout between response data fragments after the first data fragmentis returned by WebSEAL.
Options
number_of_secondsIf the value of this parameter is set to 0 (or not set), connection timeoutsbetween data fragments are governed instead by the client-connect-timeout parameter. The exception to this rule occurs for responses returnedover HTTP (TCP). In this case, there is no timeout between responsefragments. If a connection timeout occurs on a non-first data fragment dueto the intra-connection-timeout setting, a TCP RST (reset) packet is sent.
Usage
This stanza entry is required.
Default value
60
Exampleintra-connection-timeout = 60
io-buffer-size
Syntaxio-buffer-size = number_of_bytes
Description
Positive integer value that indicates the buffer size, in bytes, for low-level readsfrom and writes to a client.
Options
number_of_bytes
Positive integer value that indicates the buffer size, in bytes, for low-levelreads from and writes to a client.
The minimum value is 1. WebSEAL does not impose a maximum value.
A small value (for instance, 10 bytes) can hurt performance by causingfrequent calls to the low-level read/write APIs. Up to a certain point,larger values improve performance because they correspondingly reducethe calls to the low-level I/O functions.
However, the low-level I/O functions might have their own internalbuffers, such as the TCP send and receive buffers. When io-buffer-sizeexceeds the size of those buffers, there is no longer any performanceimprovement because those functions read only part of the buffer at thetime.
Reasonable values for io-buffer-size range from 1 - 16 kB. Values smallerthan this range causes calling the low-level I/O functions too frequently.
Stanza reference 241
Values larger than this range wastes memory. A 2 MB I/O buffer size uses4 MB for each worker thread that communicates with the client, since thereis an input and output buffer.
Usage
This stanza entry is required.
Default value
4096
Exampleio-buffer-size = 4096
ip-support-level
Syntaxip-support-level = {displaced-only|generic-only|displaced-and-generic}
Description
Controls the amount of network information stored in a credential by specifyingthe required IP level.
Options
displaced-onlyWebSEAL only generates the IPv4 attribute when building user credentialsand when authenticating users through external authentication C APImodules.
generic-onlyWebSEAL only generates new generic attributes that support both IPv4and IPv6 when building user credentials and when authenticating usersthrough external authentication C API modules.
displaced-and-genericBoth sets of attribute types (produced by displaced-only and generic-only)are used when building user credentials and when authenticating usersthrough external authentication C API modules.
Usage
This stanza entry is required.
Default value
generic-only
Exampleip-support-level = generic-only
242 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
ipv6-support
Syntaxipv6-support = {yes|no}
Description
Enable/disable WebSEAL support for IPv6 format.
Options
yes Enable WebSEAL support for IPv6 format.
no Disable WebSEAL support for IPv6 format.
Usage
This stanza entry is required.
Default value
yes
Exampleipv6-support = yes
late-lockout-notification
Syntaxlate-lockout-notification = {yes|no}
Description
WebSEAL returns a server response error page (acct_locked.html) that notifies theuser of the penalty for reaching or exceeding the maximum value set by themax-login-failures policy. This stanza entry specifies whether this notificationoccurs when the user reaches the max-login-failures limit, or at the next loginattempt after reaching the limit.
Options
yes Upon reaching the maximum value set by the max-login-failures policy,WebSEAL returns another login prompt to the user. WebSEAL does notsend the account disabled error page to the user until the next loginattempt. This response represents pre-version 6.0 behavior for themax-login-failures policy.
no Upon reaching the maximum value set by the max-login-failures policy,WebSEAL immediately sends the account disabled error page to the user.
Usage
Required
Default value
The default for new installations is no. The default for migrated installations is yes.
Stanza reference 243
Examplelate-lockout-notification = yes
max-client-read
Syntaxmax-client-read = number_of_bytes
Description
Specifies the maximum number of bytes of request line and header informationthat WebSEAL holds in internal buffers when reading an HTTP request from aclient. One purpose for max-client-read is to help protect WebSEAL fromdenial-of-service attacks.
As of Security Access Manager WebSEAL 6.0, the max-client-read stanza entry nolonger impacts the request-body-max-read and request-max-cache stanza entries.
Options
number_of_bytes
The minimum value for this parameter is 32678 bytes. If the total size ofthe request line and headers is greater than the value specified for thisparameter, WebSEAL closes the connection without reading any more dataor sending any response to the client.
If the value is set to a number below 32768, the value is ignored and avalue of 32768 is used. There is no maximum value. URL and headerinformation in a typical request rarely exceeds 2048 bytes.
Usage
This stanza entry is required.
Default value
32768
Examplemax-client-read = 32768
max-file-cat-command-length
Syntaxmax-file-cat-command-length = number_of_bytes
Description
Specifies the maximum size of the file, specified in bytes, which may be returnedfrom the file cat server task command.
If the value of this parameter is less than the size of the file specified in the file catcommand, the returned file will be truncated. This parameter takes precedenceover the optional -max bytes value in the file cat command.
244 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
number_of_bytes
The maximum size of the file, specified in bytes, which may be returnedfrom the file cat command.
Usage
This stanza entry is required.
Default value
1024
Examplemax-file-cat-command-length = 512
max-file-descriptors
Syntaxmax-file-descriptors = number_of_descriptors
Description
Sets the maximum number of sockets that WebSEAL uses in a Windowsenvironment. This setting directly affects the number of worker threads available.
Note: You can use connection-request-limit option, which is also in the [server]stanza, to increase the number of requests that WebSEAL processes on a persistentconnection.
Options
number_of_descriptors
Integer value representing the maximum number of file descriptors(sockets) that WebSEAL uses. This setting directly affects the number ofworker threads available to WebSEAL. The minimum value, and default, isthe compiled FD_SETSIZE, which is 2048 for Windows.
Usage
This stanza entry is optional.
Note: This configuration option is available only on Windows. WebSEAL ignoresthis setting on all other platforms.
Default value
The default value is the compiled FD_SETSIZE, which is 2048 for Windows.
Examplemax-file-descriptors = 2048
Stanza reference 245
See also
“disable-timeout-reduction” on page 233“connection-request-limit” on page 231
max-idle-persistent-connections
Syntaxmax-idle-persistent-connections = number_of_connections
Description
The maximum number of idle client persistent connections. Use a value less thanthe maximum number of connections supported by WebSEAL to ensure that theidle connections do not consume all the available connections.
Options
number_of_connectionsInteger value indicating the maximum number of idle client persistentconnections.
Usage
This stanza entry is required.
Default value
512
Examplemax-idle-persistent-connections = 512
network-interface
Syntaxnetwork-interface = ip-address
Description
Specify an alternative IP address to be used by this instance of WebSEAL. Thisallows two or more WebSEAL instances to use different IP addresses and hostnames when running on the same machine .
Options
ip-addressIP address.
Usage
This stanza entry is optional.
Default value
0.0.0.0
246 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Examplenetwork-interface = 9.0.0.9
persistent-con-timeout
Syntaxpersistent-con-timeout = number_of_seconds
Description
HTTP/1.1 connection timeout, in seconds. This setting affects connections toclients, not to backend server systems.
Options
number_of_secondsHTTP/1.1 connection timeout, in seconds. Must be a positive integer.Other values have unpredictable results and should not be used. Maximumallowed value: 2147483647.
A value of 0 causes WebSEAL to set the 'Connection: close' header andthen close the connection on every response. If the value of this stanzaentry is set to 0, the connection does not remain open for future requests.
Usage
This stanza entry is required.
Default value
5
Examplepersistent-con-timeout = 5
pre-410-compatible-tokens
Syntaxpre-410-compatible-tokens = {yes|no}
Description
WebSEAL supports a common method of generating tokens for cross-domainsingle signon, failover, and e-community single signon. The security of thesetokens was increased for version 4.1. This increase is not backward compatiblewith previous versions of WebSEAL. When the Security Access Managerdeployment includes multiple WebSEAL servers, and some of the WebSEALservers are version 3.9 or prior, set this value to yes.
Options
yes Support pre-410-compatible tokens.
no Do not support pre-410-compatible tokens.
Stanza reference 247
Usage
This stanza entry is required.
Default value
no
Examplepre-410-compatible-tokens = no
pre-510-compatible-token
Syntaxpre-510-compatible-token = {yes|no}
Description
WebSEAL supports a common method of generating tokens for cross-domainsingle signon, failover, and e-community single signon. The format of these tokenschanged for version 5.1. This change is not backward compatible with previousversions of WebSEAL. When the Security Access Manager deployment includesmultiple WebSEAL servers, and some of the WebSEAL servers are version 4.1 orprior, set this value to yes.
Options
yes Support pre-510-compatible tokens.
no Do not support pre-510-compatible tokens.
Usage
This stanza entry is required.
Default value
no
Examplepre-510-compatible-tokens = no
preserve-base-href
Syntaxpreserve-base-href = {yes|no}
Description
Specifies whether WebSEAL will remove all BASE HREF tags from filtered HTMLdocuments and prepend the base tag to filtered links.
Options
yes When set to yes, WebSEAL filters the BASE HREF tag.
no When set to no, WebSEAL removes BASE HREF tags.
248 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
no
Examplepreserve-base-href = no
preserve-base-href2
Syntaxpreserve-base-href2 = {yes|no}
Description
Used in conjunction with the preserve-base-href option to specify the level offiltering on the BASE HREF tags.
NOTE: This option has no effect unless preserve-base-href (also in the [server]stanza) is set to yes.
Options
yes When set to yes, WebSEAL only performs the minimum filtering of theBASE HREF tag necessary to insert the WebSEAL host and junction names.
no When set to no, WebSEAL completely filters the BASE HREF tags. ForBASE tags that do not contain a trailing slash WebSEAL strips the lastcomponent.
Usage
This stanza entry is optional.
Default value
yes
Examplepreserve-base-href2 = yes
preserve-p3p-policy
Syntaxpreserve-p3p-policy = {yes|no}
Description
Specifies whether to replace or preserve p3p headers from junctioned servers.
Options
yes The value yes means that headers are preserved.
Stanza reference 249
no A value of no means that headers are replaced.
Usage
This stanza entry is required.
Default value
no
Examplepreserve-p3p-policy = no
process-root-requests
Syntaxprocess-root-requests = {never|always|filter}
Description
Specifies how WebSEAL responds to requests for resources located at the root ("/")junction.
Options
never Root junction requests are never processed at the root junction.
alwaysAlways attempt to process requests for the root junction at the rootjunction first before attempting to use a junction mapping mechanism.
filter Examine all root junction requests to determine whether they start with thepatterns specified in the [process-root-filter] stanza.
Usage
This stanza entry is required.
Default value
always
Exampleprocess-root-requests = always
redirect-using-relative
Syntaxredirect-using-relative = {true|false}
Description
Specifies that WebSEAL use a server-relative format for the URL in the Locationheader of an HTTP 302 redirect response.
250 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
This configuration change affects all redirect responses generated by WebSEAL.These redirect situations include:v Redirect after authenticationv Redirect after logoutv Redirect after changing passwordv Redirects during the e-community single signon authentication processv Redirects during the cross-domain single signon authentication processv Switch user processingv Certificate authentication (prompt-as-needed only)v Session displacement
Options
true Use a server-relative format for the URL in the Location header of anHTTP 302 redirect response.
false Use an absolute format for the URL in the Location header of an HTTP 302redirect response.
Usage
This stanza entry is not required and is a hidden entry.
Default value
false
Exampleredirect-using-relative = true
reject-invalid-host-header
Syntaxreject-invalid-host-header = {yes|no}
Description
Determines whether requests to WebSEAL that have an invalid host header (seeRFC2616) are rejected with a status of 400, "Bad Request."
Options
yes All requests to WebSEAL with an invalid host header will be rejected witha status of 400, "Bad Request."
no Requests with an invalid host header are not rejected.
Usage
This stanza entry is required.
Default value
no
Stanza reference 251
Examplereject-invalid-host-header = no
reject-request-transfer-encodings
Syntaxreject-request-transfer-encodings = {yes|no}
Description
Specifies the WebSEAL response to requests containing the Transfer-Encodingheader.
Options
yes WebSEAL rejects (with error status of 501, Not Implemented) any requestwith a Transfer-Encoding header value of anything other than "identity" or"chunked".
no WebSEAL may reject the request, or may forward it on the junctionedserver in a corrupted state. This setting is available for compatibility withversions of WebSEAL prior to version 6.0.
Usage
This stanza entry is required.
Default value
yes
Examplereject-request-transfer-encodings = yes
request-body-max-read
Syntaxrequest-body-max-read = number_of_bytes
Description
Maximum number of bytes to read in as content from the body of POST requests.The request-body-max-read stanza entry affects the request body only. It does notimpose limits on other components of a request, such as request line and headers.Used for dynurl, authentication, and request caching.
Options
number_of_bytesMaximum number of bytes to read in as content from the body of POSTrequests. Used for dynurl, authentication, and request caching. Minimumnumber of bytes: 512.
Usage
This stanza entry is required.
252 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
4096
Examplerequest-body-max-read = 4096
request-max-cache
Syntaxrequest-max-cache = number_of_bytes
Description
Maximum amount of data to cache. This is used to cache request data when a useris prompted to authenticate before a request can be fulfilled.
Options
number_of_bytesThis value should be a positive integer. If set to zero (0), the user loginsucceeds but the request fails because WebSEAL cannot cache the requestdata. There is no maximum value.
Usage
This stanza entry is required.
Default value
8192
Examplerequest-max-cache = 8192
send-header-ba-first
Syntaxsend-header-ba-first = {yes|no}
Description
By default, WebSEAL selects the authentication challenge to return to the client bysequentially searching the available authentication mechanisms until it finds onethat is enabled. You can use the send-header-ba-first entry to ensure thatWebSEAL selects the BA header before any of the other configured authenticationmechanisms.
Options
yes WebSEAL sends the header first.
no WebSEAL searches sequentially through the available authenticationmechanisms and sends the first one that is enabled.
Stanza reference 253
Usage
This stanza entry is optional.
Default value
no
Examplesend-header-ba-first = yes
See also
“send-header-spnego-first”
send-header-spnego-first
Syntaxsend-header-spnego-first = {yes|no}
Description
By default, WebSEAL selects the authentication challenge to return to the client bysequentially searching the available authentication mechanisms until it finds onethat is enabled. You can use the send-header-spnego-first entry to ensure thatWebSEAL selects SPNEGO header first before any of the other configuredauthentication mechanisms.
SPNEGO authentication can use either forms login or a header.
Note: If send-header-ba-first is set to yes and send-header-spnego-first is set tono, WebSEAL sends a BA header first, but uses the default search for an SPNEGOforms login.
Options
yes WebSEAL sends the header first.
no WebSEAL searches sequentially through the available authenticationmechanisms and sends the first one that is enabled.
Usage
This stanza entry is optional.
Default value
no
Examplesend-header-spnego-first = yes
See also
“send-header-ba-first” on page 253
254 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
server-name
Syntaxserver-name = host_name-instance_name
Description
The WebSEAL instance name.
Options
host_name-instance_nameThe WebSEAL instance name, based on the host name of the machine andthe instance name of the WebSEAL server. This value is set by theadministrator during WebSEAL configuration. WebSEAL instance namesmust be alphanumeric. The maximum number of characters allowed is 20.
Usage
This stanza entry is required.
Default value
None.
Example
Example initial WebSEAL server with the default instance name accepted, on ahost named diamond:server-name = diamond-default
Example instance WebSEAL instance, specified as web2, on a host named diamond:server-name = diamond-web2
slash-before-query-on-redirect
Syntaxslash-before-query-on-redirect = {yes|no}
Description
When a client URL specifies a directory location that does not end in a trailingslash (/), the client is redirected to the same URL with a trailing slash added.Thisis necessary for ACL checks to work properly.
This stanza entry controls where the slash is added if the original URL contains aquery string.
Options
yes Setting this value to yes causes the trailing slash to be added before thequery string.
For example: /root/directoryname?querybecomes /root/directoryname/?query
Stanza reference 255
no Setting this value to no causes the trailing slash to be added after the querystring.
For example: /root/directoryname?querybecomes /root/directoryname?query/
NOTE: A setting of no could cause browser errors. This option exists forbackwards compatibility only.
Usage
This stanza entry is optional.
Default value
no
Exampleslash-before-query-on-redirect = yes
strip-www-authenticate-headers
Syntaxstrip-www-authenticate-headers = {yes|no}
Description
Controls whether WebSEAL removes the following headers from the responses thatit receives from junctioned servers:v Negotiate www-authenticate header.v NTLM www-authenticate header.
Options
yes When set to yes, WebSEAL removes these www-authenticate headers fromjunctioned server responses.
no When set to no, WebSEAL does not remove these www-authenticateheaders from junctioned server responses.
Usage
This stanza entry is optional.
Default value
yes
Examplestrip-www-authenticate-headers = yes
suppress-backend-server-identity
Syntaxsuppress-backend-server-identity = {yes|no}
256 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Suppresses the identity of the back-end application server from HTTP responses.These responses normally include the line:Server: IBM_HTTP_SERVER/version_number Apache/version_number (Win32)
Options
yes Setting this value to yes deletes the above header line from the serverresponse.
no Setting this value to no leaves the above header line in the server response.
Usage
This stanza entry is required.
Default value
no
Examplesuppress-backend-server-identity = no
suppress-dynurl-parsing-of-posts
Syntaxsuppress-dynurl-parsing-of-posts = {yes|no}
Description
Determines whether POST bodies are used in dynurl processing.
Note: Before enabling this option, make certain that no dynurl checked serverapplications accept arguments from POST bodies so that dynurl checks cannot bebypassed using a POST instead of a Query string.
Options
yes POST bodies will not be used in dynurl processing, only Query strings willbe used.
no POST bodies can be used in dynurl processing.
Usage
This stanza entry is required.
Default value
no
Examplesuppress-dynurl-parsing-of-posts = no
Stanza reference 257
suppress-server-identity
Syntaxsuppress-server-identity = {yes|no}
Description
Suppresses the identity of the WebSEAL server from HTTP responses. Theseresponses normally include the line:Server: WebSEAL/version_number
Options
yes Setting this value to yes deletes the above header line from the serverresponse.
no Setting this value to no leaves the above header line in the server response.
Usage
This stanza entry is required.
Default value
no
Examplesuppress-server-identity = no
tag-value-missing-attr-tag
Syntaxtag-value-missing-attr-tag = tag_for_missing_attribute
Description
WebSEAL allows credential attributes to be inserted into the HTTP stream as HTTPheaders. In the event that a requested attribute is not found in the credential, theHTTP header is still created with a static string. The tag-value-missing-attr-tagconfiguration entry defines the contents of the header.
Options
tag_for_missing_attributeTag inserted in the HTTP header in place of a missing attribute.
Usage
This stanza entry is required.
Default value
NOT_FOUND
Exampletag-value-missing-attr-tag = NOT_FOUND
258 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
use-existing-username-macro-in-custom-redirects
Syntaxuse-existing-username-macro-in-custom-redirects = {yes|no}
Description
When using Local Response Redirection, you can use this configuration option tocontrol how WebSEAL processes the USERNAME macro. By default, WebSEALsets the USERNAME macro value to the string "unauthenticated" after an inactivitytimeout. This processing does not match the behavior when WebSEAL serves staticpages.
Use this option to override the default behavior and configure WebSEAL to set theUSERNAME macro value to the authenticated username. That is, with this optionset to yes, WebSEAL processes the USERNAME macro the same when using LocalResponse Redirection as it does when serving static pages.
Options
yes When using Local Response Redirection, the USERNAME macro value isset to the authenticated username after an inactivity timeout.
no When using Local Response Redirection, the USERNAME macro value isset to the string "unauthenticated" after an inactivity timeout.
Usage
This stanza entry is optional.
Default value
no
Exampleuse-existing-username-macro-in-custom-redirects = yes
use-http-only-cookies
Syntaxuse-http-only-cookies = {yes|no}
Description
Indicates whether WebSEAL will add the HTTP-only attribute to the Session, LTPAand Failover Set-Cookie headers sent by WebSeal.
Options
yes Enables WebSEAL to add the HTTP-only attribute to Session, LTPA andFailover Set-Cookie headers.
no Prevents WebSEAL from adding the HTTP-only attribute to Session, LTPAand Failover Set-Cookie headers.
Stanza reference 259
Usage
This stanza entry is required.
Default value
no
Exampleuse-http-only-cookies = no
utf8-form-support-enabled
Syntaxutf8-form-support-enabled = {yes|no|auto}
Description
UTF-8 encoding support.
Options
yes WebSEAL only recognizes UTF-8 encoding in forms and the data is usedwithout modification.
no WebSEAL does not recognize UTF-8 encoding in forms. Used for local codepage only.
auto When set to auto, WebSEAL attempts to distinguish between UTF-8 andother forms of language character encoding. When encoding is notrecognized as UTF-8, WebSEAL processes the coding as non-UTF-8.
Usage
This stanza entry is required.
Default value
yes
Exampleutf8-url-support-enabled = yes
utf8-qstring-support-enabled
Syntaxutf8-qstring-support-enabled = {yes|no|auto}
Description
UTF-8 encoding support.
Options
yes WebSEAL only recognizes UTF-8 encoding in strings and the data is usedwithout modification.
260 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
no WebSEAL does not recognize UTF-8 encoding in strings. Used for localcode page only.
auto When set to auto, WebSEAL attempts to distinguish between UTF-8 andother forms of language character encoding. When encoding is notrecognized as UTF-8, WebSEAL processes the coding as non-UTF-8.
Usage
This stanza entry is required.
Default value
no
Exampleutf8-qstring-support-enabled = no
utf8-url-support-enabled
Syntaxutf8-url-support-enabled = {yes|no|auto}
Description
Enable or disable support for UTF-8 encoded characters in URLs.
Options
yes WebSEAL only recognizes UTF-8 encoding in URLs and the data is usedwithout modification.
no WebSEAL does not recognize UTF-8 encoding in URLs. Used for local codepage only.
auto When set to auto, WebSEAL attempts to distinguish between UTF-8 andother forms of language character encoding. When encoding is notrecognized as UTF-8, WebSEAL processes the coding as non-UTF-8.
Usage
This stanza entry is required.
Default value
yes
Exampleutf8-url-support-enabled = yes
validate-query-as-ga
Syntaxvalidate-query-as-ga = {yes|no}
Stanza reference 261
Description
Determines whether WebSEAL returns a "Bad Request" error when there is aninvalid character present in the query portion of the URL.
Options
yes WebSEAL does not return a "Bad request" error when there is an invalidcharacter present in the query portion of the URL.
no WebSEAL returns a "Bad Request" error when there is an invalid characterpresent in the query portion of the URL.
Usage
This stanza entry is optional.
Default value
no
Examplevalidate-query-as-ga = yes
web-host-name
Syntaxweb-host-name = manually-set-webseal-hostname
Description
The manual setting for the WebSEAL server's host name.If left unset, WebSEALattempts to automatically determine the server's host name. On systems with manyhostnames, interfaces, or WebSEAL instances, the automatic determination may notalways be correct. The manual setting for web-host-name resolves any conflicts.
Options
manually-set-webseal-hostnameThe manual setting for the WebSEAL server's host name, based on the fullyqualified machine name.
Usage
This stanza entry is optional.
Default value
www.webseal.com
Exampleweb-host-name = abc.example.com
262 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
web-http-port
Syntaxweb-http-port = port for web-http-protocol
Description
Defines the port that the client Web browser uses to connect to WebSEAL forrequests that WebSEAL receives on a TCP interface.
Options
port for web-http-protocol
Usage
This stanza entry is optional.
Default value
same as HTTP port
Exampleweb-http-port = 443
web-http-protocol
Syntaxweb-http-protocol = {http | https}
Description
Defines the protocol that the client Web browser uses to connect to WebSEAL forrequests that WebSEAL receives on a TCP interface.
Options
http WebSEAL functions will behave as if the client is connected to WebSEAL inan HTTP environment (not HTTPS).
https Most WebSEAL functions will behave as if the client is connected toWebSEAL in an HTTPS environment. There are exceptions and limitationsto this rule. You cannot obtain SSL IDs or SSL client certificates using thisparameter; therefore, [session] ssl-id-sessions cannot be used as asession key and [certificate] accept-client-certs cannot be used forauthentication.
Usage
This stanza entry is optional.
Default value
http
Stanza reference 263
Exampleweb-http-protocol = http
worker-threads
Syntaxworker-threads = number_of_threads
Description
Number of WebSEAL worker threads.
Options
number_of_threadsNumber of WebSEAL worker threads. The minimum value is 1. Themaximum number of threads is based on the number of file descriptors setfor WebSEAL at compile time. Note that this number varies per operatingsystem. If the value is set to a number larger than theWebSEAL-determined limit, WebSEAL reduces the value to the acceptablelimit and issues a warning message.
Usage
This stanza entry is required.
Default value
300
Exampleworker-threads = 300
[session] stanza
dsess-enabled
Syntaxdsess-enabled = {yes|no}
Description
Enable or disable use of the Session Management Server (SMS).
Options
yes Enable use of the Session Management Server (SMS). If this is set to "yes"the [dsess] stanza must have information about how to communicate withthe SMS.
no Disable use of the Session Management Server (SMS).
Usage
This stanza entry is optional.
264 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
no
Exampledsess-enabled = no
dsess-last-access-update-interval
Syntaxdsess-last-access-update-interval = seconds
Description
Specifies the frequency at which WebSEAL updates the session last access time atthe SMS.
Options
secondsSmaller values offer more accurate inactivity timeout tracking, at theexpense of sending updates to the SMS more frequently. Values of less than1 second are not permitted.
Usage
requiredOptional
Default value
60
Exampledsess-last-access-update-interval = 60
enforce-max-sessions-policy
Syntaxenforce-max-sessions-policy = {yes|no}
Description
Control whether or not a specific WebSEAL instance enforces themax-concurrent-web-sessions policy.
Options
yes Enforce the max-concurrent-web-sessions policy.
no Do not enforce the max-concurrent-web-sessions policy.
Usage
This stanza entry is ignored unless WebSEAL is using the SMS for session storage.
Stanza reference 265
Default value
yes
Exampleenforce-max-sessions-policy = yes
inactive-timeout
Syntaxinactive-timeout = number_of_seconds
Description
Integer value for lifetime, in seconds, of inactive entries in the credential cache.
The value can be configured for a specific session cache (authenticated orunauthenticated) by adding an additional entry, prefixedby auth or unauth.
Options
number_of_secondsThe minimum number for this value is 0. WebSEAL does not impose amaximum value.
A stanza entry value of "0" disables this inactivity timeout feature(inactivity timeout value is unlimited). The control of cache entries is thengoverned by the timeout and max-entries stanza entries.
When a cache is full, the entries are cleared based on a least-recently-usedalgorithm.
Usage
This stanza entry is required.
Default value
600
Exampleinactive-timeout = 600unauth-inactive-timeout = 300
logout-remove-cookie
Syntaxlogout-remove-cookie = {yes|no}
Description
Specifies whether or not to remove the session cookie from a user's browser whenthe user logs out from the WebSEAL domain. Setting this stanza entry to yes isnecessary for the correct operation and use of the %OLDSESSION% macro.
266 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes Remove the session cookie from a user's browser when the user logs outfrom the WebSEAL domain.
no Do not remove the session cookie from a user's browser when the userlogs out from the WebSEAL domain.
Usage
This stanza entry is required.
Default value
no
Examplelogout-remove-cookie = no
max-entries
Syntaxmax-entries = number_of_entries
Description
Maximum number of concurrent entries in the credentials cache. When the cachesize reaches this value, entries are removed from the cache according to a leastrecently used algorithm to allow new incoming logins.
The value can be configured for a specific session cache (authenticated orunauthenticated) by adding an additional entry, prefixedby auth or unauth.
Options
number_of_entries
The following conditions affect the specified value:v If the specified value is less than or equal to 0, the cache size becomes
unlimited.v If the specified value is between 0 and 8192, the actual number of entries
allowed is rounded up to the next multiple of 32.v Any specified value greater than 8192 is accepted as given.
WebSEAL does not impose a maximum value.
Usage
This stanza entry is required.
Default value
4096
Examplemax-entries = 4096unauth-max-entries = 1024
Stanza reference 267
prompt-for-displacement
Syntaxprompt-for-displacement = {yes|no}
Description
Determines whether or not a user is prompted for appropriate action when themax-concurrent-web-sessions displace policy has been exceeded.
Options
yes Enables the interactive option, where the user is prompted for appropriateaction. When a second login is attempted, the user receives thetoo_many_sessions.html response page.
no Enables the non-interactive option, where the user is not prompted forappropriate action. When a second login is attempted, the original (older)login session is automatically terminated with no prompt. A new session iscreated for the user and the user is logged in to this new sessiontransparently. The original (older) session is no longer valid.
Usage
This stanza entry is required.
Default value
yes
Exampleprompt-for-displacement = yes
register-authentication-failures
Syntaxregister-authentication-failures = {yes|no}
Description
Configure WebSEAL to notify the SMS when login failures occur. SMS can generatea login history based on this information.
Options
yes If set to yes, WebSEAL notifies the SMS when login failures occur so thatusers can be shown a history of their last successful and failed logins.
no If set to no, WebSEAL does not notify the SMS when login failures occur.
Usage
This stanza entry is optional.
Default value
no
268 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleregister-authentication-failures = no
require-mpa
Syntaxrequire-mpa = {yes|no}
Description
Controls whether WebSEAL accepts HTTP headers from requests that are proxiedthrough an authenticated multiplexing proxy agent (MPA).
Options
yes WebSEAL only accepts HTTP headers from requests that are proxiedthrough an authenticated multiplexing proxy agent (MPA).
no WebSEAL accepts HTTP headers under any condition.
Usage
This stanza entry is required.
Default value
yes
Examplerequire-mpa = yes
resend-webseal-cookies
Syntaxresend-webseal-cookies = {yes|no}
Description
When you configure WebSEAL to use session cookies, specifies whether or notWebSEAL sends the session cookie to the browser with every response.
Options
yes Specifies that WebSEAL sends the session cookie to the browser with everyresponse. This action helps to ensure that the session cookie remains in thebrowser memory.
no Specifies that WebSEAL does not send the session cookie to the browserwith every response.
Usage
This stanza entry is required.
Default value
no
Stanza reference 269
Exampleresend-webseal-cookies = no
send-constant-sess
Syntaxsend-constant-sess = {yes|no}
Description
Determines whether a session cookie containing a separate, constant identifier isissued during step-up operations to enable tracking for each authenticated session.The identifier remains constant across a single session, regardless of whether thesession key changes. The name of the cookie is that of the actual session codeappended with the suffix -2, for example, PD_S_SESSION_ID_2. This feature isintended to augment the -k junction option.
Options
yes A session cookie containing a separate, constant identifier is issued duringstep-up operations to allow tracking for each authenticated session.
no No session cookie is issued during step-up operations.
Usage
This stanza entry is required.
Default value
no
Examplesend-constant-sess = no
shared-domain-cookie
Syntaxshared-domain-cookie = {yes | no}
Description
Enables a cookie-based session to be shared across all standard and virtual hostjunctions on a single WebSEAL instance. To share a session in this manner, theWebSEAL instance must store a single session key as an independent value in amulti-valued domain cookie. The multi-valued domain cookie must be indexed bythe instance name.
The domain cookie itself is shared across all participating WebSEAL instances, butthe session values are specific to each instance.
If WebSEAL exists in an environment where SMS already handles single sign-onacross domains, do not enable this configuration item.
270 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
yes Enables single sign-on across virtual host junctions in the same WebSEALinstance.
no Disables single sign-on across virtual host junctions in WebSEAL.
Usage
This stanza entry is optional.
Default value
no
Exampleshared-domain-cookie = yes
ssl-id-sessions
Syntaxssl-id-sessions = {yes|no}
Description
Indicates whether to use the SSL ID to maintain a user's HTTP login session.
Options
yes Use the SSL ID to maintain a user's HTTP login session.
no Do not use the SSL ID to maintain a user's HTTP login session. This valuemust be set to no when the following key = value pair is set:[certificate]accept-client-certs = prompt_as_needed
Usage
This stanza entry is required.
Default value
yes
Examplessl-id-sessions = yes
ssl-session-cookie-name
Syntaxssl-session-cookie-name = name
Description
Specifies the default or custom name of WebSEAL session cookies.
Stanza reference 271
Options
name Specifies the default or custom name of WebSEAL session cookies.
Usage
This stanza entry is required.
Default value
PD-S-SESSION-ID
Examplessl-session-cookie-names = PD-S-SESSION-ID
standard-junction-replica-set
Syntaxstandard-junction-replica-set = replica_set_name
Description
The replica set to use for sessions created when users access standard WebSEALjunctions. Virtual host junctions either use the replica set specified with thevirtualhost create -z option or the virtual host name for the junction.
If using the SMS for session storage, the replica set specified here must also bespecified in the [replica-sets] stanza.
Options
value Replica set name.
Usage
This stanza entry is required.
Default value
default
Examplestandard-junction-replica-set = default
tcp-session-cookie-name
Syntaxtcp-session-cookie-name = name
Description
Specifies the default or custom name of WebSEAL session cookies.
Options
name Specifies the default or custom name of WebSEAL session cookies.
272 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
PD-H-SESSION-ID
Exampletcp-session-cookie-names = PD-H-SESSION-ID
temp-session-cookie-name
Syntaxtemp-session-cookie-name = cookie_name
Description
Sets the name of the temporary session cookie that is created for session sharingwith Microsoft Office applications. WebSEAL creates a temporary cookie with thisname when it responds to a /pkmstempsession management page request.
Options
cookie_nameA string value that represents the name of the single-use cookie thatWebSEAL uses to store session information.
Note: This configuration entry must be used in conjunction with anon-zero value for the temp-session-max-lifetime entry, which is also inthe [session] stanza. For more information about sharing sessions withMicrosoft Office applications, see the IBM Security Web Gateway Appliance:Configuration Guide for Web Reverse Proxy.
Usage
This stanza entry is required.
Default value
None.
Exampletemp-session-cookie-name = PD-TEMP-SESSION-ID
temp-session-max-lifetime
Syntaxtemp-session-max-lifetime = number_of_seconds
Description
Positive integer that expresses the maximum lifetime (in seconds) of entries in thetemporary session cache.
Stanza reference 273
Options
number_of_secondsA positive integer that represents the maximum lifetime in seconds. Specifya value of 0 to disable the temporary session cache.
Note: A non-zero value must be configured to enable session sharing withMicrosoft Office applications. For more information about sharing sessionswith Microsoft Office applications, see the IBM Security Web GatewayAppliance: Configuration Guide for Web Reverse Proxy.
Usage
This stanza entry is optional.
Default value
None.
Exampletemp-session-max-lifetime = 10
timeout
Syntaxtimeout = number_of_seconds
Description
Integer value for maximum lifetime, in seconds, for an entry in the credentialcache.
The value can be configured for a specific session cache (authenticated orunauthenticated) by adding an additional entry, prefixedby auth or unauth.
Options
number_of_secondsThe minimum number for this value is 0. WebSEAL does not impose amaximum value.
A stanza entry value of "0" disables this timeout feature (lifetime value isunlimited). The control of cache entries is then governed by theinactive-timeout and max-entries stanza entries.
When the cache is full, the entries are cleared based on aleast-recently-used algorithm.
Usage
This stanza entry is required.
Default value
3600
274 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampletimeout = 3600unauth-timeout = 600
update-session-cookie-in-login-request
Syntaxupdate-session-cookie-in-login-request = {yes|no}
Description
Controls whether the existing session cookie, found in the HTTP request, isupdated if the session ID is modified during the processing of the request.
Options
yes
The existing session cookie is updated if the session ID is modified duringthe processing of the request.
no
The existing session cookie is not updated if the session ID is modifiedduring the processing of the request.
Usage
This stanza entry is optional.
Default value
no
Exampleupdate-session-cookie-in-login-request = no
user-session-ids
Syntaxuser-session-ids = {yes|no}
Description
Enables or disables the creation and handling of user session IDs.
Options
yes
Enables the creation and handling of user session IDs.
no
Disables the creation and handling of user session IDs.
Usage
This stanza entry is required.
Stanza reference 275
Default value
no
Exampleuser-session-ids = yes
user-session-ids-include-replica-set
Syntaxuser-session-ids-include-replica-set = {yes|no}
Description
Include the replica set in the user session ID.
Options
yes If set to "yes", then user-session-ids = yes includes the replica set.
no If set to "no", then WebSEAL does not include the replica set foruser-session-ids = yes and assumes that any user session specified in thepdadmin terminate session command belongs to the default replica set.
Usage
This stanza entry is required.
Default value
yes
Exampleuser-session-ids-include-replica-set = yes
use-same-session
Syntaxuse-same-session = {yes|no}
Description
Indicates whether to use the same session for SSL and HTTP clients.
Options
yes When set to yes, a user who has authenticated over HTTP will beauthenticated when connecting over HTTPS. Likewise, the user who hasauthenticated over HTTPS will be authenticated when connecting overHTTP. Using yes will override ssl-id-sessions = yes, because HTTPclients do not read an SSL ID to maintain sessions.
no Do not use the same session for SSL and HTTP clients.
Usage
This stanza entry is required.
276 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
no
Exampleuse-same-session = no
[session-cookie-domains] stanza
domain
Syntaxdomain = url
Description
Normally WebSEAL session cookies are host cookies that browsers only return tothe host that originally set them.
This stanza is used to configure domain session cookies that are sent to any host ina particular DNS domain.
Options
url Domains that share the domain cookie.
Usage
This stanza entry is optional.
Default value
None.
Exampledomain = example.com
[session-http-headers] stanza
header_name
Syntaxheader_name = {http|https}
Description
Configures HTTP headers to maintain session state.
Options
http
Configures HTTP headers to maintain session state over the HTTPtransport.
Stanza reference 277
https
Configures HTTP headers to maintain session state over the HTTPStransport.
Usage
This stanza entry is optional.
Default value
None.
Exampleentrust-client = https
[ssl] stanza
base-crypto-library
Syntaxbase-crypto-library = {Default|RSA|ICC}
Description
Specifies the cipher engine used by GSKit.
Options
DefaultThe value Default tells GSKit to use the optimal cryptographic base.
RSA Use RSA. Note that setting it to RSA affects the settings possible forfips-mode-processing.
ICC Use ICC.
Usage
This stanza entry is required.
Default value
Default
Examplebase-crypto-library = Default
crl-ldap-server
Syntaxcrl-ldap-server = server_name
Description
Specifies the Server to be contacted to obtain Certificate Revocation Lists (CRL).
278 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
server_nameThis parameter can be set to one of two types of values:1. The name of the LDAP server to be referenced as a source for
Certificate Revocation Lists (CRL) during authentication across SSLjunctions. If this is used, you may also need to set the followingparameters:v crl-ldap-server-portv crl-ldap-userv crl-ldap-user-password
2. The literal string “URI”. In the case where no direct LDAP Server isavailable, this allows GSKit to obtain revocation information fromLDAP or the HTTP Servers as specified by the CA in the CertificateDistribution Point (CDP) extension of the certificate.
NOTE:In addition to specifying the string "URI", it is also possible tospecify an HTTP server for crl-ldap-server. However, WebSEAL does notcurrently support the ability to specify an HTTP proxy server, which canprovide performance improvements when HTTP servers are used.
Usage
This stanza entry is optional.
Default value
None.
Examplecrl-ldap-server = diamond.example.com
crl-ldap-server-port
Syntaxcrl-ldap-server-port = port_number
Description
Port number for communication with the LDAP server specified in crl-ldap-server.The LDAP server is referenced for Certificate Revocation List (CRL) checkingduring SSL authentication.
Options
port_numberPort number for communication with the LDAP server specified incrl-ldap-server.
Usage
This stanza entry is optional. When crl-ldap-server is set, this stanza entry isrequired.
Stanza reference 279
Default value
None.
Examplecrl-ldap-server-port = 389
crl-ldap-user
Syntaxcrl-ldap-user = user_DN
Description
Fully qualified distinguished name (DN) of an LDAP user that has access to theCertificate Revocation List.
Options
user_DNFully qualified distinguished name (DN) of an LDAP user that has accessto the Certificate Revocation List.
Usage
This stanza entry is optional. A null value for crl-ldap-user indicates that the SSLauthenticator should bind to the LDAP server anonymously.
Default value
None.
Examplecrl-ldap-user =cn=webseald/diamond,cn=SecurityDaemons,secAuthority=Default
crl-ldap-user-password
Syntaxcrl-ldap-user-password = password
Description
Password for the user specified in crl-ldap-user.
Options
passwordPassword for the user specified in crl-ldap-user.
Usage
This stanza entry is optional.
280 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
None.
Examplecrl-ldap-user-password = mypassw0rd
disable-ssl-v2
Syntaxdisable-ssl-v2 = {yes|no}
Description
Disables support for SSL version 2. Support for SSL v2 is disabled by default. TheWebSEAL configuration sets this value.
Options
yes Support is disabled.
no Support is enabled.
Usage
This stanza entry is optional. When not specified, the default is yes.
Default value
yes
Exampledisable-ssl-v2 = yes
disable-ssl-v3
Syntaxdisable-ssl-v3 = {yes|no}
Description
Disables support for SSL Version 3. Support for SSL V3 is enabled by default. TheWebSEAL configuration sets this value.
Options
yes The value yes means support is disabled.
no The value no means the support is enabled.
Usage
This stanza entry is optional. When not specified, the default is no.
Default value
no
Stanza reference 281
Exampledisable-ssl-v3 = no
disable-tls-v1
Syntaxdisable-tls-v1 = {yes|no}
Description
Disables support for TLS Version 1. Support for TLS V1 is enabled by default. TheWebSEAL configuration sets this value.
Options
yes The value yes means support is disabled
no The value no means the support is enabled.
Usage
This stanza entry is optional. When not specified, the default is no.
Default value
no
Exampledisable-tls-v1 = no
disable-tls-v11
Syntaxdisable-tls-v11 = {yes|no}
Description
Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.1.WebSEAL supports TLS version 1.1 by default.
Options
yes The value yes disables support for TLS version 1.1.
no The value no enables support for TLS version 1.1.
Usage
This stanza entry is optional. If this entry is not specified, the default is no.
Default value
no
Exampledisable-tls-v11 = no
282 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
disable-tls-v12
Syntaxdisable-tls-v12 = {yes|no}
Description
Determines whether WebSEAL supports Transport Layer Security (TLS) version 1.2.WebSEAL supports TLS version 1.2 by default.
Options
yes The value yes disables support for TLS version 1.2.
no The value no enables support for TLS version 1.2.
Usage
This stanza entry is optional. If this entry is not specified, the default is no.
Default value
no
Exampledisable-tls-v12 = no
enable-duplicate-ssl-dn-not-found-msgs
Syntaxenable-duplicate-ssl-dn-not-found-msgs = {yes | no}
Description
Determines whether WebSEAL logs a warning message every time you open aconnection to a junction that has:v Either the -K or the -B flag set, butv The -D flag is not set.
By default, WebSEAL logs duplicate messages whenever it opens anotherconnection to the junction. These messages appear in the following format:DPWIV1212W No server DN is defined for ’server.ibm.com’.
The junctioned server DN verification is not performed."
Options
yes Duplicate messages are created. Every time a connection is opened to ajunction that has the -K or -B flags specified without the -D option,WebSEAL logs a warning.
no When the server starts, WebSEAL logs a single warning only for eachaffected junction.
Usage
This stanza entry is required.
Stanza reference 283
Default value
yes
Exampleenable-duplicate-ssl-dn-not-found-msgs = no
fips-mode-processing
Syntaxfips-mode-processing = {yes|no}
Description
Enables or disables FIPS mode processing.
Options
yes A value of yes enables FIPS mode processing.
no A value of no disables FIPS mode processing. When base-crypto-library= RSA, this value must be no.
Usage
This stanza entry is required.
Default value
no
Examplefips-mode-processing = no
gsk-attr-name
Syntaxgsk-attr-name = {enum | string | number}:id:value
Description
Specify additional GSKit attributes to use when initializing an SSL connection withthe client. A complete list of the available attributes is included in the GSKit SSLAPI documentation. This configuration entry can be specified multiple times.Configure a separate entry for each GSKit attribute.
Options
{enum | string | number}The GSKit attribute type.
id The identity associated with the GSKit attribute.
value The value for the GSKit attribute.
284 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is optional.
You cannot configure the following restricted GSKit attributes:GSK_BASE_CRYPTO_LIBRARYGSK_SSL_FIPS_MODE_PROCESSINGGSK_FIPS_MODE_PROCESSINGGSK_OCSP_ENABLEGSK_OCSP_URLGSK_OCSP_NONCE_GENERATION_ENABLEGSK_OCSP_NONCE_CHECK_ENABLEGSK_OCSP_REQUEST_SIGKEYLABELGSK_OCSP_REQUEST_SIGALGGSK_OCSP_PROXY_SERVER_NAMEGSK_OCSP_PROXY_SERVER_PORTGSK_OCSP_RETRIEVE_VIA_GETGSK_OCSP_MAX_RESPONSE_SIZEGSK_KEYRING_FILEGSK_KEYRING_PWGSK_CRL_CACHE_SIZEGSK_CRL_CACHE_ENTRY_LIFETIMEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_LDAP_SERVERGSK_LDAP_SERVER_PORTGSK_LDAP_USERGSK_LDAP_USER_PWGSK_ACCELERATOR_NCIPHER_NFGSK_ACCELERATOR_RAINBOW_CSGSK_PKCS11_DRIVER_PATHGSK_PKCS11_TOKEN_LABELGSK_PKCS11_TOKEN_PWDGSK_PKCS11_ACCELERATOR_MODEGSK_V2_SESSION_TIMEOUTGSK_V3_SESSION_TIMEOUTGSK_PROTOCOL_SSLV2GSK_PROTOCOL_SSLV3GSK_PROTOCOL_TLSV1GSK_CLIENT_AUTH_TYPEGSK_SESSION_TYPEGSK_IO_CALLBACKGSK_RESET_SESSION_TYPE_CALLBACKGSK_RESET_SESSION_TYPE_CALLBACKGSK_NO_RENEGOTIATIONGSK_ALLOW_ABBREVIATED_RENEGOTIATION
If you attempt to modify any of these attributes then an error message will begenerated.
Default value
None.
Example
The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:gsk-attr-name = string:225:proxy.ibm.com
Stanza reference 285
See also
“gsk-attr-name” on page 60“gsk-attr-name” on page 313“jct-gsk-attr-name” on page 287
gsk-crl-cache-entry-lifetime
Syntaxgsk-crl-cache-entry-lifetime = number_of_seconds
Description
Integer value specifying the lifetime timeout, in seconds, for individual entries inthe GSKit CRL cache.
See also the standards documents for SSL V3 and TLS V1 (RFC 2246) for moreinformation on CRLs.
Options
number_of_secondsInteger value specifying the lifetime timeout, in seconds, for individualentries in the GSKit CRL cache. The minimum value is 0. The maximumvalue is 86400. Neither WebSEAL nor GSKit impose a maximum value onthe cache entry lifetime.
Usage
This stanza entry is required.
Default value
0
Examplegsk-crl-cache-entry-lifetime = 0
gsk-crl-cache-size
Syntaxgsk-crl-cache-size = number_of_entries
Description
Integer value indicating the maximum number of entries in the GSKit CRL cache.
See the standards documents for SSL V3 and TLS V1 (RFC 2246) for moreinformation on CRLs.
Options
number_of_entriesInteger value indicating the maximum number of entries in the GSKit CRLcache. Minimum value is 0. A value of 0 means that no entries are cached.Neither WebSEAL nor GSKit impose a maximum value on this cache.
286 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required.
Default value
0
Examplegsk-crl-cache-size = 0
jct-gsk-attr-name
Syntaxjct-gsk-attr-name = {enum | string | number}:id:value
Description
Specify additional GSKit attributes to use when initializing an SSL connection witha junctioned server. A complete list of the available attributes is included in theGSKit SSL API documentation. This configuration entry can be specified multipletimes. Configure a separate entry for each GSKit attribute.
Options
{enum | string | number}The GSKit attribute type.
id The identity associated with the GSKit attribute.
value The value for the GSKit attribute.
Usage
This stanza entry is optional.
You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_PWGSK_KEYRING_STASH_FILEGSK_V2_SIDCACHE_SIZEGSK_V3_SIDCACHE_SIZEGSK_V2_SESSION_TIMEOUTGSK_V3_SESSION_TIMEOUTGSK_PROTOCOL_SSLV2GSK_PROTOCOL_SSLV3GSK_PROTOCOL_TLSV1GSK_LDAP_SERVERGSK_LDAP_SERVER_PORTGSK_LDAP_USERGSK_LDAP_USER_PWGSK_CRL_CACHE_SIZEGSK_CRL_CACHE_ENTRY_LIFETIMEGSK_ACCELERATOR_NCIPHER_NFGSK_ACCELERATOR_RAINBOW_CSGSK_PKCS11_DRIVER_PATHGSK_PKCS11_TOKEN_LABELGSK_PKCS11_TOKEN_PWDGSK_PKCS11_ACCELERATOR_MODEGSK_BASE_CRYPTO_LIBRARY
Stanza reference 287
GSK_OCSP_ENABLEGSK_OCSP_URLGSK_OCSP_NONCE_GENERATION_ENABLEGSK_OCSP_NONCE_CHECK_ENABLEGSK_OCSP_REQUEST_SIGKEYLABELGSK_OCSP_REQUEST_SIGALGGSK_OCSP_PROXY_SERVER_NAMEGSK_OCSP_PROXY_SERVER_PORTGSK_OCSP_RETRIEVE_VIA_GETGSK_OCSP_MAX_RESPONSE_SIZE
If you attempt to modify any of these attributes then an error message will begenerated.
Default value
None.
Example
The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:jct-gsk-attr-name = string:225:proxy.ibm.com
See also
“gsk-attr-name” on page 60“gsk-attr-name” on page 284“gsk-attr-name” on page 313
ocsp-enable
Syntaxocsp-enable = {yes|no}
Description
Enable Online Certificate Status Protocol (OCSP) for checking the revocation statusof certificates supplied by a server using the OCSP URL embedded in thecertificate using an Authority Info Access (AIA) extension.
Options
yes Enable OCSP to check the revocation status of server supplied certificates.
no Disable OCSP checking of server supplied certificates.
Usage
This stanza entry is optional.
Note: This option can be used as an alternative to, or in conjunction with, theocsp-url option.
Default value
no
288 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Exampleocsp-enable = no
ocsp-max-response-size
Syntaxocsp-max-response-size = number of bytes
Description
Sets the maximum response size (in bytes) that will be accepted as a response froman OCSP responder. This limit helps protect against a denial of service attack.
Options
number of bytesMaximum response size, in bytes.
Note: A value of zero (0) indicates that the value is not set in theconfiguration file and no call to GSKit will be made to adjust its value; inthis case, the option will assume the GSKit default of 20480 bytes.Non-zerovalues will be passed on to GSKit.
Usage
This stanza entry is optional.
Default value
204080
Exampleocsp-max-response-size = 20480
ocsp-nonce-check-enable
Syntaxocsp-nonce-check-enable = {yes|no}
Description
Determines whether WebSEAL checks the nonce in the OCSP response. Enablingthis option improves security but can cause OCSP Response validation to fail ifthere is a caching proxy between WebSEAL and the OCSP Responder. Note thatenabling this option automatically enables the jct-ocsp-nonce-generation-enableoption.
Options
yes WebSEAL checks the nonce in the OCSP response to verify that it matchesthe nonce from the request.
no WebSEAL does not check the nonce in the OCSP response.
Stanza reference 289
Usage
This stanza entry is optional.
Default value
no
Exampleocsp-nonce-check-enable = no
ocsp-nonce-generation-enable
Syntaxocsp-nonce-generation-enable = {yes|no}
Description
Determines whether WebSEAL generates a nonce as part of the OCSP request.Enabling this option can improve security by preventing replay attacks onWebSEAL but may cause an excessive load on an OCSP Responder appliance asthe responder cannot use cached responses and must sign each response.
Options
yes WebSEAL generates a nonce as part of the OCSP request.
no WebSEAL does not generate a nonce as part of the OCSP request.
Usage
This stanza entry is optional.
Default value
no
Exampleocsp-nonce-generation-enable = no
ocsp-proxy-server-name
Syntaxocsp-proxy-server-name = <proxy host name>
Description
Specifies the name of the proxy server that provides access to the OCSP responder.
Options
proxy host nameFully qualified name of the proxy server.
290 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is optional.
Default value
None
Exampleocsp-proxy-server-name = proxy.ibm.com
ocsp-proxy-server-port
Syntaxocsp-proxy-server-port = <proxy host port number>
Description
Specifies the port number of the proxy server that provides access to the OCSPResponder.
Options
proxy host port numberPort number used by the proxy server to route OCSP requests andresponses.
Usage
This stanza entry is optional.
Default value
None
Exampleocsp-proxy-server-port = 8888
ocsp-url
Syntaxocsp-url = <OCSP Responder URL>
Description
Specifies the URL for the OCSP Responder. If a URL is provided, WebSEAL willuse OCSP for all revocation status checking regardless of whether the certificatehas an Authority Info Access (AIA) extension, which means that OCSP will workwith existing certificates. WebSEAL will first try the OCSP Responder that isconfigured by this method rather than using a location specified by AIAextension.If revocation status is undetermined, and if ocsp-enable is set to yes, thenWebSEAL will try to obtain revocation status using the access method in the AIAextension.
Stanza reference 291
Options
OCSP Responder URLURL of the OCSP Responder.
Usage
This stanza entry is optional.
Default value
None
Exampleocsp-url = http://responder.ibm.com/
ssl-keyfile
Syntaxssl-keyfile = file_name
Description
Specifies the keystore that WebSEAL uses for communicating with other SecurityAccess Manager servers over SSL.
Options
file_nameString specifying the name of the keystore that WebSEAL uses tocommunicate with other Security Access Manager servers over SSL.
Usage
This stanza entry is required.
Default value
<instance_name>-webseald.kdb, where <instance_name> is the name of theWebSEAL instance.
Examplessl-keyfile = default-webseald.kdb
ssl-keyfile-label
Syntaxssl-keyfile-label = label_name
Description
String containing a label for the SSL certificate keyfile. When this label is notspecified, the default label is used.
This stanza entry is typically modified only by the WebSEAL configuration utility.
292 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
label_nameString containing a label for the SSL certificate keyfile.
Usage
This stanza entry is optional, but is assigned during WebSEAL configuration.
Default value
PD Server
Examplessl-keyfile-label = PD Server
ssl-keyfile-pwd
Syntaxssl-keyfile-pwd = password
Description
String containing the password to protect the private keys in the SSL keyfile.
This stanza entry is typically modified only by the WebSEAL configuration utility.
Options
passwordWhen this stanza entry is assigned a value, that value is used instead ofany password that is contained in the stash file specified byssl-keyfile-stash. This stanza entry stores the password in plain text. Usethe ssl-keyfile-stash for optimum security.
Usage
This stanza entry is optional.
Default value
None.
Examplessl-keyfile-pwd = myPassw0rd
ssl-keyfile-stash
Syntaxssl-keyfile-stash = file_name
Description
Name of the file containing an obfuscated version of the password used to protectprivate keys in the SSL keyfile.
Stanza reference 293
This stanza entry is typically modified only by the WebSEAL configuration utility.
Options
file_nameName of the file containing an obfuscated version of the password used toprotect private keys in the SSL keyfile.
Usage
This stanza entry is required.
Default value
instance_name-webseald.sth, whereinstance_name is the name of the WebSEALinstance.
Examplessl-keyfile-stash = default-webseald.sth
ssl-local-domain
Syntaxssl-local-domain = local domain name
Description
This option specifies the local domain for a particular instance of WebSEAL, whichallows a single server to host multiple WebSEAL instances, each of which couldaccess a separate domain.
Options
local domain nameThe local domain for which this instance of WebSEAL is configured. Thelocal domain is provided during WebSEAL configuration and set by thesvrsslcfg utility.
Usage
This stanza entry is optional.
Default value
Default
Examplessl-local-domain = abc.ibm.com
ssl-max-entries
Syntaxssl-max-entries = number_of_entries
294 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Integer value indicating the maximum number of concurrent entries in the SSLcache.
Options
number_of_entriesInteger value indicating the maximum number of concurrent entries in theSSL cache. The minimum value is zero (0), which means that caching isunlimited. Entries between 0 and 256 are set to 256. There is no maximumlimit.
Usage
This stanza entry is optional.
Default value
When the stanza entry is not assigned a value, WebSEAL uses a default value of 0.The WebSEAL configuration utility, however, assigns a default value of 4096.
Examplessl-max-entries = 4096
ssl-v2-timeout
Syntaxssl-v2-timeout = number_of_seconds
Description
Session timeout in seconds for SSL v2 connections between clients and servers.This timeout value controls how often a full SSL handshake is completed betweenclients and WebSEAL.
This value is set by the WebSEAL configuration utility.
Options
number_of_secondsValid range of values for number_of_seconds is from 1-100 seconds.
Usage
This stanza entry is required when SSL is enabled.
Default value
100
Examplessl-v2-timeout = 100
Stanza reference 295
ssl-v3-timeout
Syntaxssl-v3-timeout = number_of_seconds
Description
Session timeout in seconds for SSL v3 connections between clients and servers.This timeout value controls how often a full SSL handshake is completed betweenclients and WebSEAL.
This value is set by the WebSEAL configuration utility.
Options
number_of_secondsValid range of values for number_of_seconds is from 1-86400 seconds, where86400 seconds is equal to 1 day. If you specify a number outside this range,the default number of 7200 seconds will be used.
Usage
This stanza entry is required when SSL is enabled.
Default value
7200
Examplessl-v3-timeout = 7200
suppress-client-ssl-errors
Syntaxsuppress-client-ssl-errors = {true|false}
Description
This stanza entry suppresses error messages that originate from SSLcommunication problems with the client.
Options
true Suppress error messages that originate from SSL communication problemswith the client.
false Do not suppress error messages that originate from SSL communicationproblems with the client.
Usage
This stanza entry is required when SSL is enabled.
Default value
false
296 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Examplesuppress-client-ssl-errors = false
undetermined-revocation-cert-action
Syntaxundetermined-revocation-cert-action = {ignore | log | reject}
Description
Controls the action that WebSEAL takes if OCSP or CRL is enabled but theresponder cannot determine the revocation status of a certificate (that is, therevocation status is unknown). The appropriate values for this entry should beprovided by the OCSP or CRL Responder owner.
Options
ignore WebSEAL ignores the undetermined revocation status and permits use ofthe certificate.
log WebSEAL logs the fact that the certificate status is undetermined andpermits use of the certificate.
reject WebSEAL logs the fact that the certificate status is undetermined andrejects the certificate.
Usage
This stanza entry is required.
Default value
The option defaults to ignore if it is not specified in the configuration file.
Note: The value for this option in the template configuration file is log.
Exampleundetermined-revocation-cert-action = log
webseal-cert-keyfile
Syntaxwebseal-cert-keyfile = file_name
Description
Specifies the WebSEAL certificate keyfile. This is the server certificate thatWebSEAL exchanges with browsers when negotiating SSL sessions.
Options
file_nameName of the WebSEAL certificate keyfile.
Usage
This stanza entry is required.
Stanza reference 297
Default value
pdsrv.kdb
Examplewebseal-cert-keyfile = pdsrv.kdb
webseal-cert-keyfile-label
Syntaxwebseal-cert-keyfile-label = label_name
Description
String specifying a label to use for WebSEAL certificate keyfile. When this is notspecified, the default label is used.
Options
label_nameString specifying a label to use for WebSEAL certificate keyfile.
Usage
This stanza entry is optional, but is set by default during WebSEAL configuration.
Default value
WebSEAL-Test-Only
Examplewebseal-cert-keyfile-label = WebSEAL-Test-Only
webseal-cert-keyfile-pwd
Syntaxwebseal-cert-keyfile-pwd = password
Description
Password used to protect private keys in WebSEAL certificate file.
Options
passwordWhen this stanza entry is assigned a value, that value is used instead ofany password that is contained in the stash file specified bywebseal-cert-keyfile-stash. This stanza entry stores the password in plaintext. Use the stash file for optimum security.
Usage
This stanza entry is optional.
298 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
None.
Examplewebseal-cert-keyfile-pwd = j73R45huu
webseal-cert-keyfile-stash
Syntaxwebseal-cert-keyfile-stash = file_name
Description
Name of the file containing an obfuscated version of the password used to protectprivate keys in the keyfile.
Options
file_nameName of the file containing an obfuscated version of the password used toprotect private keys in the keyfile.
Usage
This stanza entry is optional.
Default value
pdsrv.sth
Examplewebseal-cert-keyfile-stash = pdsrv.sth
[ssl-qop] stanza
ssl-qop-mgmt
Syntaxssl-qop-mgmt = {yes|no}
Description
Enables or disables SSL quality of protection management.
Options
yes The value yes enables SSL quality of protection management.
no The value no disables SSL quality of protection management.
Usage
This stanza entry is required.
Stanza reference 299
Default value
no
Examplessl-qop-mgmt = no
[ssl-qop-mgmt-default] stanza
default
Syntaxdefault = {ALL|NONE|cipher_level}
Description
List of string values to specify the allowed encryption levels for HTTPS access.
Values specified in this stanza entry are used for all IP addresses that are notmatched in either the [ssl-qop-mgmt-hosts] stanza entries or the[ssl-qop-mgmt-networks] stanza entries.
Options
ALL The value ALL allows all ciphers.
NONEThe value NONE disables all ciphers and uses an MD5 MAC check sum.
cipher_levelLegal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168,FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128,AES-256
Value Cipher name in GSKit
NULL TLS_RSA_WITH_NULL_MD5
DES-56 TLS_RSA_WITH_DES_CBC_SHA
FIPS-DES-56 SSL_RSA_FIPS_WITH_DES_CBC_SHA
DES-168 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
FIPS-DES-168 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
RC2-40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
RC2-128 TLS_RC2_CBC_128_CBC_WITH_MD5
RC4-40 TLS_RSA_EXPORT_WITH_RC4_40_MD5
RC4-56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
RC4-128 TLS_RSA_WITH_RC4_128_MD5
AES-128 TLS_RSA_WITH_AES_128_CBC_SHA
AES-256 TLS_RSA_WITH_AES_256_CBC_SHA
Usage
This stanza entry is required.
300 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Default value
ALL
Example
To specify a selected group of ciphers, create a separate entry for each cipher. Forexample:default = RC4-128default = RC2-128default = DES-168
[ssl-qop-mgmt-hosts] stanza
host-ip
Syntaxhost-ip = {ALL|NONE|cipher_level}
Description
List of string values to specify the allowed encryption levels for HTTPS access fora specific IP address.
Note that this stanza has been deprecated and is retained only for backwardcompatibility.
Options
ALL The value ALL allows all ciphers.
NONEThe value NONE disables all ciphers and uses an MD5 MAC check sum.
cipher_levelLegal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168,FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128,AES-256
Value Cipher name in GSKit
NULL TLS_RSA_WITH_NULL_MD5
DES-56 TLS_RSA_WITH_DES_CBC_SHA
FIPS-DES-56 SSL_RSA_FIPS_WITH_DES_CBC_SHA
DES-168 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
FIPS-DES-168 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
RC2-40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
RC2-128 TLS_RC2_CBC_128_CBC_WITH_MD5
RC4-40 TLS_RSA_EXPORT_WITH_RC4_40_MD5
RC4-56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
RC4-128 TLS_RSA_WITH_RC4_128_MD5
AES-128 TLS_RSA_WITH_AES_128_CBC_SHA
AES-256 TLS_RSA_WITH_AES_256_CBC_SHA
Stanza reference 301
Usage
This stanza entry is optional.
Default value
None.
Example
To specify allowable ciphers for a selected group of IP addresses, create a separateentry for each address. For example:111.222.333.444 = RC4-128222.666.333.111 = RC2-128
[ssl-qop-mgmt-networks] stanza
network/netmask
Syntaxnetwork/netmask = {ALL|NONE|cipher_level}
Description
List of string values to specify the allowed encryption levels for HTTPS access fora specific combination of IP address and netmask.
Note that this stanza has been deprecated and is retained only for backwardcompatibility.
Options
ALL The value ALL allows all ciphers.
NONEThe value NONE disables all ciphers and uses an MD5 MAC check sum.
cipher_levelLegal cipher values are: NULL, DES-56, FIPS-DES-56, DES-168,FIPS-DES-168, RC2-40, RC2-128, RC4-40, RC4-56, RC4-128, AES-128,AES-256
Value Cipher name in GSKit
NULL TLS_RSA_WITH_NULL_MD5
DES-56 TLS_RSA_WITH_DES_CBC_SHA
FIPS-DES-56 SSL_RSA_FIPS_WITH_DES_CBC_SHA
DES-168 SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
FIPS-DES-168 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
RC2-40 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
RC2-128 TLS_RC2_CBC_128_CBC_WITH_MD5
RC4-40 TLS_RSA_EXPORT_WITH_RC4_40_MD5
RC4-56 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
RC4-128 TLS_RSA_WITH_RC4_128_MD5
302 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Value Cipher name in GSKit
AES-128 TLS_RSA_WITH_AES_128_CBC_SHA
AES-256 TLS_RSA_WITH_AES_256_CBC_SHA
Usage
This stanza entry is optional.
Default value
None.
Example
To specify allowable ciphers for a selected group of IP addresses and netmasks,create a separate entry for each address/netmask combination. For example:111.222.333.444/255.255.255.0 = RC4-128222.666.333.111/255.255.0.0 = RC2-128
[step-up] stanza
retain-stepup-session
Syntaxretain-stepup-session = {yes|no}
Description
Determines whether a session cookie issued during a step-up operation is allowedto be reused or not. This option is only in effect if the verify-step-up-user option isset to yes.
Options
yes Enables session cookie to be reused during a step-up operation.
no Prevents session cookie from being reused during a step-up operation.
Usage
This stanza entry is required.
Default value
no
Exampleretain-stepup-session = no
show-all-auth-prompts
Syntaxshow-all-auth-prompts = {yes|no}
Stanza reference 303
Description
Controls login prompt response for an unauthenticated user who requests an objectprotected by a step-up authentication POP attribute.
Options
yes A value of "yes" provides multiple login prompts—one for each enabledauthentication method—on each login page.
no A value of "no" provides only the login prompt for the specificauthentication level required by the POP(default).
Usage
This stanza entry is required.
Default value
no
Exampleshow-all-auth-prompts = no
step-up-at-higher-level
Syntaxstep-up-at-higher-level = {yes|no}
Description
This configuration entry controls whether an authentication mechanism that ishigher than the requested step-up level is accepted during a step-up operation.
Options
yes Authentication levels higher than the level specified in the POP areaccepted during step-up operations.
no Higher authentication levels are disallowed during step-up operations.
Usage
This stanza entry is optional.
Default value
no
Examplestep-up-at-higher-level = no
verify-step-up-user
Syntaxverify-step-up-user = {yes|no}
304 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
Determines whether the identity of the user performing a step-up operation mustmatch the identity of the user that performed the previous authentication.
Options
yes The identity of the user performing the step-up operation must match theidentity of the user that performed the previous authentication. In thiscase, the existing session key will be retained during step-upauthentication. The value of the retain-stepup-session option controlswhether the existing session key will be retained during step-upauthentication.
no The identity of the user performing the step-up operation need not matchthe identity of the user that performed the previous authenticationoperation. In this case, the session key must change during step-upauthentication.
Usage
This stanza entry is required.
Default value
yes
Exampleverify-step-up-user = yes
[system-environment-variables] stanza
env-name
Syntaxenv-name = env-value
Description
Defines system environment variables that are exported by WebSEAL.
During initialization, the WebSEAL daemon exports the environment variables thatare defined as entries in the [system-environment-variables] stanza. You mustinclude a separate entry for each system environment variable that you want toexport.
Options
env-nameThe name of the system environment variable.
env-valueThe value of the system environment variable.
Stanza reference 305
Usage
This stanza entry is optional.
Note:
v This functionality is not supported on Windows platforms.v The environment variable names are case-sensitive.
Default value
None.
Example
The following example sets the LANG and GSK_TRACE_FILE environment variables.LANG = deGSK_TRACE_FILE = /tmp/gsk.trace
[tfimsso:<jct-id>] stanza
always-send-tokens
Syntaxalways-send-tokens = {yes|true|no|false}
Description
Indicates whether a security token should be sent for every HTTP request orwhether WebSEAL should wait for a 401 response before adding the securitytoken. This configuration item is used to avoid the unnecessary overhead ofgenerating and adding a security token to every request if the back-end Web serveris capable of maintaining user sessions. This configuration item is only useful if therequest for authentication involves a 401 response, which currently only applies toTFIM SSO.
Options
yes WebSEAL sends a security token for every HTTP request.
no WebSEAL waits for a 401 response before sending a security token for anHTTP request.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
None
Examplealways-send-tokens = false
306 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
applies-to
Syntaxapplies-to = http://<webseal-server>/<junction>
Description
Path to specify the location to search for the appropriate Security Token Service(STS) module in Tivoli Federated Identity Manager.
Options
http://<webseal-server>/<junction>The host name or IP address of the WebSEAL server, along with thejunction name. This address is similar to the URL that is used to access thejunction.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
None
Exampleapplies-to = http://webseal-server/jct
one-time-token
Syntaxone-time-token = {true | false}
Description
This boolean value is used to indicate whether the security token that is producedby TFIM is only valid for a single transaction. An example of a one-time-token is aKerberos token, which can only be used for a single authentication operation.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
True.
Exampleone-time-token = false
Stanza reference 307
preserve-xml-token
Syntaxpreserve-xml-token = {true | false}
Description
This value controls whether to use the requested BinarySecurityToken XMLstructure in its entirety or whether only the encapsulated token should be used. Setthis configuration entry to true only if the junctioned Web server understands andexpects the BinarySecurityToken XML structure.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
True.
Examplepreserve-xml-token = false
renewal-window
Syntaxrenewal-window = number of seconds
Description
The length of time, in seconds, by which the expiration of security tokens will bereduced. This entry is used to make allowances for differences in system times andtransmission times for the security tokens.
Options
number of secondsNumber of seconds by which the expiration of security tokens will bereduced to make allowances for differences between system times andtransmission times for security tokens.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
None
Examplerenewal-window = 15
308 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
service-name
Syntaxservice-name = <servicename>
Description1. Used by TFIM when searching for a matching trust chain. This configuration
entry will be compared against the configured AppliesTo service name valuefor each trust chain. The second field within the AppliesTo service nameconfiguration entry should be set to either asterisk (*) to match all servicenames, or it should be set to the value defined by this configuration item. Seethe TFIM documentation for further details on configuring Trust Chains.
2. Used as the service principal name of the delegating user when creating aKerberos token. The service principal name can be determined by executing theMicrosoft utility setspn (that is, setspn -L user, where user is the identity of theuser on the junctioned Web server).
Options
<service name>The service name which is used to locate the trust chain within TFIM.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
Noneservice-name = HTTP/bigblue.wma.ibm.com
tfim-cluster-name
Syntaxtfim-cluster-name = name of cluster
Description
The name of the WebSphere cluster for the Tivoli Federated Identity Managerservice. The cluster is defined by this stanza entry along with a corresponding[tfim-cluster:<cluster>] stanza.
Options
name of clusterThe name of the WebSphere cluster that contains the Tivoli FederatedIdentity Manager service.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Stanza reference 309
Default value
Nonetfim-cluster-name = wascluster01
token-collection-size
Syntaxtoken-collection-size = number
Description
Specifies the number of security tokens for WebSEAL to retrieve from TivoliFederated Identity Manager in a single request. This construct is currently onlysupported for the Kerberos STS module.
Note: The number value for this stanza entry should be relatively low. Each tokenretrieved from Tivoli Federated Identity Manager (TFIM) is quite large; specifyinga large number dramatically increases the size of the packets received from TFIM,which in turn increases the size of the session and the amount of memory used byWebSEAL.
Options
numberThe number of security tokens that WebSEAL will retrieve from TivoliFederated Identity Manager and cache for subsequent requests.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
None
Exampletoken-collection-size = 10
token-type
Syntaxtoken-type = token_type
Description
Specifies the type of token to be requested from Tivoli Federated Identity Manager.This value should correspond to the 'Token Type URI' field for the correspondingtrust chain within TFIM.
Options
token_typeIndicates that the type of token to be requested from Tivoli FederatedIdentity Manager. Available options are Kerberos, SAML and LDAP.
310 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
None
Exampletoken-type = http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
token-transmit-name
Syntaxtoken-transmit-name = text
Description
The name given to the security token within the junctioned Web server request.
Options
text This is a free text field.
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
None
Exampletoken-transmit-name = Authorization
token-transmit-type
Syntaxtoken-transmit-type = {header | cookie}
Description
The type of mechanism which will be used to transmit the security token to thejunctioned Web server.
Options
header The security token will be included in a header.
cookie The security token will be included in a cookie.
Stanza reference 311
Usage
This stanza entry is required when TFIM SSO authentication is used overjunctions.
Default value
None
Exampletoken-transmit-type = header
[tfim-cluster:<cluster>] stanzaThis stanza contains definitions for a particular cluster of Tivoli Federated IdentityManager servers.
basic-auth-user
Syntaxbasic-auth-user = <user_name>
Description
Specifies the name of the user for WebSEAL to include in the basic authenticationheader when communicating with the Tivoli Federated Identity Manager server.
Options
<user_name>The user name that WebSEAL includes in the basic authentication header.
Usage
This stanza entry is optional.
Note: Configure this entry if the Tivoli Federated Identity Manager server isconfigured to require basic authentication.
Default value
None.
Examplebasic-auth-user = user_name
basic-auth-passwd
Syntaxbasic-auth-passwd = <password>
Description
Specifies the password for WebSEAL to include in the basic authentication headerwhen communicating with the Tivoli Federated Identity Manager server.
312 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
<password>The password that WebSEAL includes in the basic authentication header.
Usage
This stanza entry is optional.
Note: Configure this entry if the Tivoli Federated Identity Manager server isconfigured to require basic authentication.
Default value
None.
Examplebasic-auth-passwd = password
gsk-attr-name
Syntaxgsk-attr-name = {enum | string | number}:id:value
Description
Specify additional GSKit attributes to use when initializing an SSL connection withTivoli® Federated Identity Manager. A complete list of the available attributes isincluded in the GSKit SSL API documentation. This configuration entry can bespecified multiple times. Configure a separate entry for each GSKit attribute.
Options
{enum | string | number}The GSKit attribute type.
id The identity associated with the GSKit attribute.
value The value for the GSKit attribute.
Usage
This stanza entry is optional.
You cannot configure the following restricted GSKit attributes:GSK_KEYRING_FILEGSK_KEYRING_STASH_FILEGSK_KEYRING_LABELGSK_CIPHER_V2GSK_V3_CIPHER_SPECSGSK_PROTOCOL_TLSV1GSK_FIPS_MODE_PROCESSING
If you attempt to modify any of these attributes then an error message will begenerated.
Stanza reference 313
Default value
None.
Example
The following entry is for the GSKit attribute GSK_HTTP_PROXY_SERVER_NAME, whichhas an identity value of 225:gsk-attr-name = string:225:proxy.ibm.com
See also
“gsk-attr-name” on page 60“gsk-attr-name” on page 284“jct-gsk-attr-name” on page 287
handle-idle-timeout
Syntaxhandle-idle-timeout = <number>
Description
Specifies the length of time, in seconds, before an idle handle is removed from thehandle pool cache.
Options
<number>Length of time, in seconds, before an idle handle is removed from thehandle pool cache.
Usage
This stanza entry is required when Kerberos authentication is used over junctions.
Default value
None
Examplehandle-idle-timeout = 240
handle-pool-size
Syntaxhandle-pool-size = <number>
Description
Specifies the maximum number of cached handles that WebSEAL uses whencommunicating with Tivoli Federated Identity Manager.
314 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
<number>Maximum number of handles that WebSEAL caches to communicate withTivoli Federated Identity Manager.
Usage
This stanza entry is required when Kerberos authentication is used over junctions.
Default value
10
Examplehandle-pool-size = 10
server
Syntaxserver = {[0-9],}<URL>
Description
Specifies the priority level and URL for a single Tivoli Federated Identity Managerserver that is a member of the cluster identified for this [tfim-cluster:<cluster>]stanza.
Options
[0-9] A digit, 0-9, that represents the priority of this server within the cluster (9is the highest, 0 is the lowest). If the priority is not specified, a priority of 9is assumed.
Note: There can be no space between the comma (,) and the URL. If nopriority is specified, the comma is omitted.
<URL>A well-formed HTTP or HTTPS uniform resource locator for the server.
Usage
This stanza entry is required when Kerberos authentication is used over junctions.
Note: You can specify multiple server entries for a particular cluster for failoverand load balancing.
Default value
None
Exampleserver = 9,http://tfim-server.example.com/TrustServerWST13/services/RequestSecurityToken
Stanza reference 315
ssl-fips-enabled
Syntaxssl-fips-enabled = {yes|no}
Description
Determines whether Federal Information Process Standards (FIPS) mode is enabledwith Tivoli Federated Identity Manager.
Note: If no configuration entry is present, the setting from the global setting,determined by the Access Manager policy server, takes effect.
Options
yes FIPS mode is enabled.
no FIPS mode is disabled.
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL (that is, contains an HTTPS
protocol specification in the URL).v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [tfim-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Note: If you want to use a FIPS level that is different to the Access Manager policyserver, edit the configuration file and specify a value for this entry.
Examplessl-fips-enabled = yes
ssl-keyfile
Syntaxssl-keyfile = <file_name>
Description
Specifies the name of the key database file that houses the client certificate forWebSEAL to use.
316 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Options
<file_name>Name of the key database file that contains the client-side certificate forWebSEAL to use when Tivoli Federated Identity Manager single sign-on isenabled for the junction.
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL (that is, contains an HTTPS
protocol specification in the URL).v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [tfim-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Examplessl-keyfile = default-webseald.kdb
ssl-keyfile-label
Syntaxssl-keyfile-label = <label-name>
Description
Specifies the label of the client-side certificate in the key database.
Options
<label-name>Label of the client-side certificate in the key database.
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL (that is, contains an HTTPS
protocol specification in the URL).v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [tfim-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Stanza reference 317
Examplessl-keyfile-label = WebSEAL-Test
ssl-keyfile-stash
Syntaxssl-keyfile-stash = <filename.sth>
Description
Specifies the name of the password stash file for the key database file.
Options
<filename.sth>The name of the password stash file for the key database file.
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL (that is, contains an HTTPS
protocol specification in the URL).v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [tfim-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Examplessl-keyfile-stash = default-webseald.sth
ssl-valid-server-dn
Syntaxssl-valid-server-dn = <DN-value>
Description
Specifies the distinguished name of the server, which is obtained from the serverSSL certificate, that WebSEAL can accept.
Options
<DN-value>The distinguished name of the server, which is obtained from the serverSSL certificate, that WebSEAL accepts. If no value is specified, thenWebSEAL considers all domain names valid. You can specify multipledomain names by including multiple ssl-valid-server-dn configurationentries.
318 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Usage
This stanza entry is required if both of the following conditions are true:v One or more of the cluster server entries use SSL (that is, contains an HTTPS
protocol specification in the URL).v A certificate is required other than the default certificate used by WebSEAL
when communicating with the policy server. The [ssl] stanza contains details ofthe default certificate.
Note: If this entry is required, but it is not specified in the [tfim-cluster:<cluster>] stanza, WebSEAL uses the value in the global [ssl] stanza.
Default value
None.
Examplessl-valid-server-dn = CN=Access Manager,OU=SecureWay,O=Tivoli,C=US
timeout
Syntaxtimeout = <number of seconds>
Description
Specifies the length of time, in seconds, to wait for a response from TivoliFederated Identity Manager.
Options
<number of seconds>The length of time, in seconds, to wait for a response from Tivoli FederatedIdentity Manager.
Usage
This stanza entry is required when Kerberos authentication is used over junctions.
Default value
None.
Exampletimeout = 240
[uraf-registry] stanza
bind-id
Syntaxbind-id = server_id
Stanza reference 319
Description
An administrator or user login identity for the registry server that WebSEAL canuse to bind (sign on) to the registry server.
If the ID belongs to a user rather than an administrator, the user must haveprivileges to update and modify data in the user registry.
The WebSEAL configuration process generates this value. Do not change it.
Options
server_id
The server_id is an alphanumeric string that is not case-sensitive. Stringvalues must contain characters that are part of the local code set.
The underlying registry determines whether there are any limits on theminimum and maximum lengths of the ID. For Active Directory, themaximum length is 256 alphanumeric characters.
Usage
This stanza entry is required if you are not using an LDAP registry.
Default value
The default value is server-specific.
Examplebind-id = MySvrAdminID
cache-lifetime
Syntaxcache-lifetime = number_seconds
Description
Number of seconds that the objects are allowed to stay in the cache.
This stanza entry does not appear in the ivmgrd.conf configuration file becauseyou do not want the policy server object to be cached.
Options
number_secondsThe timeout specified in number of seconds. Use a number within therange of 1 to 86400. For performance tuning, the longer the time specified,the longer the repetitive Read advantage is held. A smaller number ofseconds negates the cache advantage for user-initiated Reads.
Usage
This stanza entry is optional.
320 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
If cache-mode = enabled and this stanza entry is not used, the default value of 30seconds will be used.
Default value
30
Examplecache-lifetime = 63200
cache-mode
Syntaxcache-mode = {enabled|disabled}
Description
Mode for caching that represents the cache being either turned on or turned off.
This stanza entry does not appear in the ivmgrd.conf configuration file becauseyou do not want the policy server object to be cached.
Options
enabledTurns the cache on. You would enable the cache mode to improve theperformance of repetitive Read actions on a specified object, such as: loginperformance that is done more than once a day. Performance for Writeactions would not be improved.
disabledTurns the cache off. You would disable the cache mode for better security.Caching opens a small window for users to go from server to server inorder to bypass the maximum number of failed login attempts.
Usage
This stanza entry is optional. This stanza entry is normally provided for allSecurity Access Manager servers, except for the policy server pdmgrd.
Default value
enabled
Examplecache-mode = enabled
cache-size
Syntaxcache-size = {number_objects|object type:cache count value
Stanza reference 321
Description
Maximum number of objects for a particular type of object that can be in the cacheat one time without hash table collisions. Or, if it is not numeric, it is a list of oneor more object types and their cache count values.
This stanza entry does not appear in the ivmgrd.conf configuration file becauseyou do not want the policy server object to be cached.
Options
number_objectsMaximum number of objects must be a prime number for the cache countvalues. Range value is from 3 to a maximum number that is logical for thetask and that does not affect performance. Non-prime numbers areautomatically rounded up to the next higher prime number. If the numberfails, the default value will be used.
object type:cache count valueList of one or more object types and their cache count values. Examples:cache-size = user:251;group:251;resgroup:251;resource:251;rescreds:251;
orcache-size = user:251;group:251;
The second example sets the user and group cache sizes to 251 and doesnot use any cache for the others.
Performance tuning depends on how much memory space is dedicated to a cacheor how many objects you typically have repetitive Read actions on (such as howmany users you have logging in a day). For example, a setting of 251 might not begood if you have 1000 users logging in and out several times a day. However, ifonly 200 of those users log in and out repetitively during the day, 251 might workwell.
Usage
This stanza entry is optional.
If cache-mode = enabled and this stanza entry is not used, the default value forcache size will be used.
Default value
The default value is server-specific.
Examplecache-size = 251
[user-agent] stanza
user-agentSyntaxuser-agent = pattern
322 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Description
When recording flow data statistics, WebSEAL can categorize the incomingrequests based on the user-agent string in the HTTP Request header. Categorizingrequests based on the user-agent can make the statistical data more useful.
Use this stanza to specify a list of category names and patterns for the user-agentstrings to match. You can repeat a category so that multiple patterns match a singlecategory. The patterns are evaluated in the order of their definition. WebSEALselects the first match to categorize each request.
Note: The stanza must always end with an entry that contains the match-allpattern *.
Options
pattern The appliance uses this pattern to categorize the incoming requests. Theappliance categorizes each request by matching the user-agent string valuein the HTTP Request header with the defined pattern list.
Note: The pattern can contain the wildcard characters * and ?. Thepatterns are not case-sensitive.
Usage
This stanza entry is optional.
Default value
None.
Example
In this example, both Android and iOS user-agent strings match the MOBILEcategory. WebSEAL uses the SUNDRY category if a user-agent string does not matchany of the other defined patterns.INTERNET_EXPLORER = *msie*FIREFOX = *firefox*CHROME = *chrome*MOBILE = *android*MOBILE = *ios*SUNDRY = *
Stanza reference 323
324 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Notices
This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:
IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan
The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.
Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.
This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.
Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.
© Copyright IBM Corp. 2002, 2012 325
IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:
IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.
The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.
Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.
All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.
All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.
This information is for planning purposes only. The information herein is subject tochange before the products described become available.
This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to
326 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.
Each copy or any portion of these sample programs or any derivative work, mustinclude a copyright notice as follows:
© (your company name) (year). Portions of this code are derived from IBM Corp.Sample Programs. © Copyright IBM Corp. _enter the year or years_. All rightsreserved.
If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at "Copyright andtrademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.
UNIX is a registered trademark of The Open Group in the United States and othercountries.
Cell Broadband Engine and Cell/B.E. are trademarks of Sony ComputerEntertainment, Inc., in the United States, other countries, or both and is used underlicense therefrom.
Notices 327
Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.
328 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
Index
Special characterspam-issue stanza entry
pam-resource: URI stanzaURIstanza 208
resource-name stanza entryhttp-transformations stanza 107
user-agent stanza entryuser-agent stanza 322
Aabsolute-uri-in-request-log stanza entry
logging stanza 171accept-client-certs stanza entry
certificate stanza 42access stanza entry
p3p-header stanza 194accessibility xivaccount-expiry-notification stanza entry
acnt-mgt stanza 1account-inactivated stanza entry
acnt-mgt stanza 1account-locked stanza entry
acnt-mgt stanza 2acnt-mgt stanza 1
account-expiry-notification entry 1account-inactivated entry 1account-locked entry 2allow-unauthenticated-logout entry 3allowed-referers entry 3cert-failure entry 4cert-stepup-http entry 5certificate-login entry 5change-password-auth entry 6client-notify-tod entry 6enable-html-redirect entry 7enable-local-response-redirect entry 7enable-passwd-warn entry 8enable-secret-token-validation
entry 9help entry 10html-redirect entry 11http-rsp-header entry 10login entry 11login-redirect-page entry 12login-success entry 13logout entry 13passwd-change entry 14passwd-change-failure entry 14passwd-change-success entry 15passwd-expired entry 15passwd-warn entry 16passwd-warn-failure entry 16redirect-to-root-for-pkms entry 17single-signoff-uri entry 17stepup-login entry 18switch-user entry 19temp-cache-response entry 19too-many-sessions entry 20
acnt-mgt stanza (continued)use-filename-for-pkmslogout
entry 21use-restrictive-logout-filenames
entry 20agents stanza entry
logging stanza 171allow-backend-domain-cookies stanza
entryjunction stanza 121, 128
allow-empty-form-fields stanza entryforms stanza 103
allow-shift-jis-chars stanza entryserver stanza 225
allow-unauth-ba-supply stanza entryserver stanza 225
allow-unauthenticated-logout stanzaentry
acnt-mgt stanza 3allow-unsolicited-logins stanza entry
server stanza 226allowed-referers stanza entry
acnt-mgt stanza 3always-send-tokens stanza entry
tfimsso: stanza 306applies-to stanza entry
tfimsso: stanza 307apply-tam-native-policy stanza entry
oauth-eas stanza 186rtss-eas stanza 213
attribute_name_pattern stanza entrycredential-refresh-attributes stanza 57
attribute_pattern stanza entrycdsso-incoming-attributes stanza 39ecsso-incoming-attributes stanza 85failover-add-attributes stanza 93failover-restore-attributes stanza 95,
96audit-attribute stanza entry
aznapi-configuration stanza 23audit-log-cfg stanza entry
rtss-eas stanza 214audit-mime-types stanza entry
logging stanza 172audit-response-codes stanza entry
logging stanza 172auditcfg stanza entry
aznapi-configuration stanza 23auditlog stanza entry
aznapi-configuration stanza 24auth-challenge-type stanza entry
server stanza 227auth-cookies stanza 21
cookie entry 21auth-timeout stanza entry
ldap stanza 152auth-using-compare stanza entry
ldap stanza 153authentication_level stanza entry
credential-refresh-attributes stanza 57authentication-levels stanza 22
authentication-levels stanza (continued)level entry 22
authtoken-lifetime stanza entrycdsso stanza 35
azn-decision-info stanza 33azn-decision-info stanza entry
azn-decision-info stanza 33aznapi-configuration stanza 23
audit-attribute entry 23auditcfg entry 23auditlog entry 24cache-refresh-interval entry 25cred-attribute-entitlement-services
entry 25dynamic-adi-entitlement-services
entry 26input-adi-xml-prolog entry 26listen-flags entry 27logaudit entry 27logcfg entry 28logclientid entry 28logflush entry 29logsize entry 30permission-info-returned entry 30policy-attr-separator entry 31policy-cache-size entry 31resource-manager-provided-adi
entry 32xsl-stylesheet-prolog entry 33
Bba stanza 34
ba-auth entry 34basic-auth-realm entry 35
ba-auth stanza entryba stanza 34
bad-gateway-rsp-file stanza entryoauth-eas stanza 187
bad-request-rsp-file stanza entryoauth-eas stanza 187
base-crypto-library stanza entryssl stanza 278
basic-auth-passwd stanza entrydsess-cluster stanza 59tfim-cluster: stanza 312xacml-cluster:cluster stanzacluster>]
stanza 217basic-auth-realm stanza entry
ba stanza 35basic-auth-user stanza entry
dsess-cluster stanza 59tfim-cluster: stanza 312xacml-cluster: stanza 217
basicauth-dummy-passwd stanza entryjunction stanza 122
bind-dn stanza entryldap stanza 153
bind-id stanza entryuraf-registry stanza 319
© Copyright IBM Corp. 2002, 2012 329
bind-pwd stanza entryldap stanza 154
Ccache-enabled stanza entry
ldap stanza 154cache-group-expire-time stanza entry
ldap stanza 155cache-group-membership stanza entry
ldap stanza 155cache-group-size stanza entry
ldap stanza 156cache-host-header stanza entry
server stanza 228cache-lifetime stanza entry
uraf-registry stanza 320cache-mode stanza entry
uraf-registry stanza 321cache-policy-expire-time stanza entry
ldap stanza 156cache-policy-size stanza entry
ldap stanza 157cache-refresh-interval stanza entry
aznapi-configuration stanza 25cache-requests-for-ecsso stanza entry
e-community-sso stanza 75cache-return-registry-id stanza entry
ldap stanza 157cache-size stanza entry
oauth-eas stanza 188uraf-registry stanza 321
cache-use-user-cache stanza entryldap stanza 159
cache-user-expire-time stanza entryldap stanza 158
cache-user-size stanza entryldap stanza 158
capitalize-content-length stanza entryserver stanza 229
categories stanza entryp3p-header stanza 195
cdsso stanza 35authtoken-lifetime entry 35cdsso-argument entry 36cdsso-auth entry 36cdsso-create entry 37clean-cdsso-urls entry 37propagate-cdmf-errors entry 38use-utf8 entry 38
cdsso-argument stanza entrycdsso stanza 36
cdsso-auth stanza entrycdsso stanza 36
cdsso-create stanza entrycdsso stanza 37
cdsso-incoming-attributes stanza 39attribute_pattern entry 39
cdsso-peers stanza 40fully_qualified_hostname entry 40
cdsso-token-attributes stanza 40domain_name entry 41entry 40
cert-cache-max-entries stanza entrycertificate stanza 42
cert-cache-timeout stanza entrycertificate stanza 43
cert-failure stanza entryacnt-mgt stanza 4
cert-map-authn stanza 47debug-level entry 47rules-file entry 47
cert-prompt-max-tries stanza entrycertificate stanza 43
cert-stepup-http stanza entryacnt-mgt stanza 5
certificate stanza 42accept-client-certs entry 42cert-cache-max-entries entry 42cert-cache-timeout entry 43cert-prompt-max-tries entry 43disable-cert-login-page entry 44, 46eai-data 45
certificate-login stanza entryacnt-mgt stanza 5
cfg-db-cmd:entries stanza 48cfg-db-cmd:files stanza 49
include entry 49change-password-auth stanza entry
acnt-mgt stanza 6chunk-responses stanza entry
server stanza 230clean-cdsso-urls stanza entry
cdsso stanza 37clean-ecsso-urls-for-failover stanza entry
failover stanza 87client-connect-timeout stanza entry
server stanza 229client-notify-tod stanza entry
acnt-mgt stanza 6cluster stanza 49
is-master entry 50master-name entry 50max-wait-time entry 51
cluster-name stanza entryoauth-eas stanza 188rtss-eas stanza 215
compress-mime-types stanza 51mime_type entry 51
compress-user-agents stanza 52pattern entry 52
concurrent-session-threads-hard-limitstanza entry
server stanza 230concurrent-session-threads-soft-limit
stanza entryserver stanza 231
connection-request-limit stanza entryserver stanza 231
content stanza 53utf8-template-macros-enabled
entry 53content-cache stanza 53
MIME_type entry 53content-encodings stanza 54
extension entry 54content-index-icons stanza 55
type entry 55context-id stanza entry
rtss-eas stanza 216cookie stanza entry
auth-cookies stanza 21cookie-domain stanza entry
ltpa stanza 180
cookie-name stanza entryltpa stanza 180
cope-with-pipelined-request stanza entryserver stanza 232
cred-attribute-entitlement-services stanzaentry
aznapi-configuration stanza 25credential-policy-attributes stanza 56
policy-name entry 56credential-refresh-attributes stanza 57
attribute_name_pattern entry 57authentication_level entry 57
crl-ldap-server stanza entryjunction stanza 122ssl stanza 278
crl-ldap-server-port stanza entryjunction stanza 123ssl stanza 279
crl-ldap-user stanza entryjunction stanza 123ssl stanza 280
crl-ldap-user-password stanza entryjunction stanza 124ssl stanza 280
DDB2 xiidebug-level stanza entry
cert-map-authn stanza 47decode-query stanza entry
server stanza 232default stanza entry
ssl-qop-mgmt-default stanza 300default-fed-id stanza entry
oauth-eas stanza 189default-mode stanza entry
oauth-eas stanza 189default-policy-override-support stanza
entryldap stanza 159
Disable local junctions 151disable-cert-login-page stanza entry
certificate stanza 44, 46disable-ec-cookie stanza entry
e-community-sso stanza 76disable-local-junctions 151disable-ssl-v2 stanza entry
junction stanza 124ssl stanza 281
disable-ssl-v3 stanza entryjunction stanza 125ssl stanza 281
disable-timeout-reduction stanza entryserver stanza 233
disable-tls-v1 stanza entryjunction stanza 125ssl stanza 282
disable-tls-v11 stanza entryjunction stanza 126ssl stanza 282
disable-tls-v12 stanza entryjunction stanza 126ssl stanza 283
disputes stanza entryp3p-header stanza 196
330 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
domain stanza entrysession-cookie-domains stanza 277
domain_name stanza entrycdsso-token-attributes stanza 41e-community-domain-keys stanza 74e-community-domain-keys:domain
stanza 75ecsso-token-attributes stanza 86
dont-reprocess-jct-404s stanza entryjunction stanza 127
double-byte-encoding stanza entryserver stanza 233
dsess stanza 58dsess-cluster-name entry 58dsess-sess-id-pool-size entry 58
dsess-cluster stanza 59basic-auth-passwd entry 59basic-auth-user entry 59gsk-attr-name entry 60handle-idle-timeout entry 61handle-pool-size entry 61response-by entry 62server entry 62ssl-fips-enabled entry 63ssl-keyfile entry 64ssl-keyfile-label entry 64ssl-keyfile-stash entry 65ssl-valid-server-dn entry 65timeout entry 66
dsess-cluster-name stanza entrydsess stanza 58
dsess-enabled stanza entrysession stanza 264
dsess-last-access-update-interval stanzaentry
session stanza 265dsess-sess-id-pool-size stanza entry
dsess stanza 58dynamic-adi-entitlement-services stanza
entryaznapi-configuration stanza 26
dynurl-allow-large-posts stanza entryserver stanza 234
dynurl-map stanza entryserver stanza 235
Ee-community-domain-keys stanza 74
domain_name entry 74e-community-domain-keys:domain
stanza 75domain_name entry 75
e-community-domains stanza 74name entry 74
e-community-name stanza entrye-community-sso stanza 76
e-community-sso stanza 75cache-requests-for-ecsso entry 75disable-ec-cookie entry 76e-community-name entry 76e-community-sso-auth entry 77ec-cookie-domain entry 77ec-cookie-lifetime entry 78ecsso-allow-unauth entry 78ecsso-propagate-errors entry 79handle-auth-failure-at-mas entry 79
e-community-sso stanza (continued)is-master-authn-server entry 80master-authn-server entry 80master-http-port entry 81master-https-port entry 82propagate-cdmf-errors entry 82use-utf8 entry 83vf-argument entry 83vf-token-lifetime entry 84vf-url entry 84
e-community-sso-auth stanza entrye-community-sso stanza 77
eai stanza 66eai-auth entry 66eai-auth-level-header entry 67eai-flags-header entry 67eai-pac-header entry 68eai-pac-svc-header entry 68eai-redir-url-header entry 69eai-session-id-header entry 69eai-user-id-header entry 70eai-verify-user-identity entry 70eai-xattrs-header entry 71retain-eai-session entry 72
eai-auth stanza entryeai stanza 66
eai-auth-level-header stanza entryeai stanza 67
eai-datacertificate stanza 45
eai-flags-header stanza entryeai stanza 67
eai-pac-header stanza entryeai stanza 68
eai-pac-svc-header stanza entryeai stanza 68
eai-redir-url-header stanza entryeai stanza 69
eai-session-id-header stanza entryeai stanza 69
eai-trigger-urls stanza 72trigger entry 72, 73
eai-user-id-header stanza entryeai stanza 70
eai-verify-user-identity stanza entryeai stanza 70
eai-xattrs-header stanza entryeai stanza 71
ec-cookie-domain stanza entrye-community-sso stanza 77
ec-cookie-lifetime stanza entrye-community-sso stanza 78
ecsso-allow-unauth stanza entrye-community-sso stanza 78
ecsso-incoming-attributes stanza 85attribute_pattern entry 85
ecsso-propagate-errors stanza entrye-community-sso stanza 79
ecsso-token-attributes stanza 86domain_name entry 86entry 86
education xivenable-duplicate-ssl-dn-not-found-msgs
stanza entryssl stanza 283
enable-failover-cookie-for-domain stanzaentry
failover stanza 88enable-html-redirect stanza entry
acnt-mgt stanza 7enable-IE6-2GB-downloads stanza entry
server stanza 235enable-local-response-redirect stanza
entryacnt-mgt stanza 7
enable-passwd-warn stanza entryacnt-mgt stanza 8
enable-redirects stanza 87redirect entry 87
enable-secret-token-validation stanzaentry
acnt-mgt stanza 9enabled stanza entry
ldap stanza 160enforce-max-sessions-policy stanza entry
session stanza 265entries 86
pam-issuepam-resource:URI stanza 208
resource-namehttp-transformations stanza 107
user-agentuser-agent stanza 322
absolute-uri-in-request-loglogging stanza 171
accept-client-certscertificate stanza 42
accessp3p-header stanza 194
account-expiry-notificationacnt-mgt stanza 1
account-inactivatedacnt-mgt stanza 1
account-lockedacnt-mgt stanza 2
agentslogging stanza 171
allow-backend-domain-cookiesjunction stanza 121, 128
allow-empty-form-fieldsforms stanza 103
allow-shift-jis-charsserver stanza 225
allow-unauth-ba-supplyserver stanza 225
allow-unauthenticated-logoutacnt-mgt stanza 3
allow-unsolicited-loginsserver stanza 226
allowed-referersacnt-mgt stanza 3
always-send-tokenstfimsso: jct-id stanza 306
applies-totfimsso: jct-id stanza 307
apply-tam-native-policyoauth-eas stanza 186rtss-eas stanza 213
attribute_name_patterncredential-refresh-attributes
stanza 57
Index 331
entries (continued)attribute_pattern
cdsso-incoming-attributesstanza 39
ecsso-incoming-attributesstanza 85
failover-add-attributes stanza 93failover-restore-attributes
stanza 95, 96audit-attribute
aznapi-configuration stanza 23audit-log-cfg
rtss-eas stanza 214audit-mime-types
logging stanza 172audit-response-codes
logging stanza 172auditcfg
aznapi-configuration stanza 23auditlog
aznapi-configuration stanza 24auth-challenge-type
server stanza 227auth-timeout
ldap stanza 152auth-using-compare
ldap stanza 153authentication_level
credential-refresh-attributesstanza 57
authtoken-lifetimecdsso stanza 35
azn-decision-infoazn-decision-info stanza 33
ba-authba stanza 34
bad-gateway-rsp-fileoauth-eas stanza 187
bad-request-rsp-fileoauth-eas stanza 187
base-crypto-libraryssl stanza 278
basic-auth-passwd[rtss-cluster:<cluster>] stanza 217dsess-cluster stanza 59tfim-cluster: cluster stanza 312
basic-auth-realmba stanza 35
basic-auth-userdsess-cluster stanza 59rtss-clustercluster stanza 217tfim-cluster: cluster stanza 312
basicauth-dummy-passwdjunction stanza 122
bind-dnldap stanza 153
bind-iduraf-registry stanza 319
bind-pwdldap stanza 154
cache-enabledldap stanza 154
cache-group-expire-timeldap stanza 155
cache-group-membershipldap stanza 155
entries (continued)cache-group-size
ldap stanza 156cache-host-header
server stanza 228cache-lifetime
uraf-registry stanza 320cache-mode
uraf-registry stanza 321cache-policy-expire-time
ldap stanza 156cache-policy-size
ldap stanza 157cache-refresh-interval
aznapi-configuration stanza 25cache-requests-for-ecsso
e-community-sso stanza 75cache-return-registry-id
ldap stanza 157cache-size
oauth-eas stanza 188uraf-registry stanza 321
cache-use-user-cacheldap stanza 159
cache-user-expire-timeldap stanza 158
cache-user-sizeldap stanza 158
capitalize-content-lengthserver stanza 229
categoriesp3p-header stanza 195
cdsso-argumentcdsso stanza 36
cdsso-authcdsso stanza 36
cdsso-createcdsso stanza 37
cdsso-token-attributes stanza 40cert-cache-max-entries
certificate stanza 42cert-cache-timeout
certificate stanza 43cert-failure
acnt-mgt stanza 4cert-prompt-max-tries
certificate stanza 43cert-stepup-http
acnt-mgt stanza 5certificate-login
acnt-mgt stanza 5change-password-auth
acnt-mgt stanza 6chunk-responses
server stanza 230clean-cdsso-urls
cdsso stanza 37clean-ecsso-urls-for-failover
failover stanza 87client-connect-timeout
server stanza 229client-notify-tod
acnt-mgt stanza 6cluster-name
oauth-eas stanza 188rtss-eas stanza 215
entries (continued)concurrent-session-threads-hard-limit
server stanza 230concurrent-session-threads-soft-limit
server stanza 231connection-request-limit
server stanza 231context-id
rtss-eas stanza 216cookie
auth-cookies stanza 21cookie-domain
ltpa stanza 180cookie-name
ltpa stanza 180cope-with-pipelined-request
server stanza 232cred-attribute-entitlement-services
aznapi-configuration stanza 25crl-ldap-server
junction stanza 122ssl stanza 278
crl-ldap-server-portjunction stanza 123ssl stanza 279
crl-ldap-userjunction stanza 123ssl stanza 280
crl-ldap-user-passwordjunction stanza 124ssl stanza 280
debug-levelcert-map-authn stanza 47
decode-queryserver stanza 232
defaultssl-qop-mgmt-default stanza 300
default-fed-idoauth-eas stanza 189
default-modeoauth-eas stanza 189
default-policy-override-supportldap stanza 159
disable-cert-login-pagecertificate stanza 44, 46
disable-ec-cookiee-community-sso stanza 76
disable-ssl-v2junction stanza 124ssl stanza 281
disable-ssl-v3junction stanza 125ssl stanza 281
disable-timeout-reductionserver stanza 233
disable-tls-v1junction stanza 125ssl stanza 282
disable-tls-v11junction stanza 126ssl stanza 282
disable-tls-v12junction stanza 126ssl stanza 283
disputesp3p-header stanza 196
332 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
entries (continued)domain
session-cookie-domainsstanza 277
domain_namecdsso-token-attributes stanza 41e-community-domain-keys
stanza 74e-community-domain-keys:domain
stanza 75ecsso-token-attributes stanza 86
dont-reprocess-jct-404sjunction stanza 127
double-byte-encodingserver stanza 233
dsess-cluster-namedsess stanza 58
dsess-enabledsession stanza 264
dsess-last-access-update-intervalsession stanza 265
dsess-sess-id-pool-sizedsess stanza 58
dynamic-adi-entitlement-servicesaznapi-configuration stanza 26
dynurl-allow-large-postsserver stanza 234
dynurl-mapserver stanza 235
e-community-namee-community-sso stanza 76
e-community-sso-authe-community-sso stanza 77
eai-autheai stanza 66
eai-auth-level-headereai stanza 67
eai-datacertificate stanza 45
eai-flags-headereai stanza 67
eai-pac-headereai stanza 68
eai-pac-svc-headereai stanza 68
eai-redir-url-headereai stanza 69
eai-session-id-headereai stanza 69
eai-user-id-headereai stanza 70
eai-verify-user-identityeai stanza 70
eai-xattrs-headereai stanza 71
ec-cookie-domaine-community-sso stanza 77
ec-cookie-lifetimee-community-sso stanza 78
ecsso-allow-unauthe-community-sso stanza 78
ecsso-propagate-errorse-community-sso stanza 79
ecsso-token-attributes stanza 86enable-duplicate-ssl-dn-not-found-
msgsssl stanza 283
entries (continued)enable-failover-cookie-for-domain
failover stanza 88enable-html-redirect
acnt-mgt stanza 7enable-IE6-2GB-downloads
server stanza 235enable-local-response-redirect
acnt-mgt stanza 7enable-passwd-warn
acnt-mgt stanza 8enable-secret-token-validation
acnt-mgt stanza 9enabled
ldap stanza 160enforce-max-sessions-policy
session stanza 265env-name
system-environment-variablesstanza 305
extensioncontent-encodings stanza 54
failover-authfailover stanza 89
failover-cookie-lifetimefailover stanza 89
failover-cookies-keyfilefailover stanza 90
failover-include-session-idfailover stanza 90
failover-require-activity-timestamp-validation
failover stanza 91failover-require-lifetime-timestamp-
validationfailover stanza 91
failover-update-cookiefailover stanza 92
fed-id-paramoauth-eas stanza 190
filter-nonhtml-as-xhtmlserver stanza 236
fips-mode-processingssl stanza 284
flow-data-enabledflow-data stanza 102
flow-data-stats-intervalflow-data stanza 103
flush-timelogging stanza 173
force-tag-value-prefixserver stanza 236
forms-authforms stanza 104
fully_qualified_hostnamecdsso-peers stanza 40
gmt-timelogging stanza 173
gsk-attr-namedsess-cluster stanza 60ssl stanza 284tfim-cluster: cluster stanza 313
gsk-crl-cache-entry-lifetimessl stanza 286
gsk-crl-cache-sizessl stanza 286
entries (continued)gso-cache-enabled
gso-cache stanza 105gso-cache-entry-idle-timeout
gso-cache stanza 105gso-cache-entry-lifetime
gso-cache stanza 106gso-cache-size
gso-cache stanza 106handle-auth-failure-at-mas
e-community-sso stanza 79handle-idle-timeout
rtss-cluster:<cluster> stanza 218tfim-cluster: cluster stanza 314
handle-pool-size[rtss-cluster:<cluster>] stanza 218dsess-cluster stanza 61tfim-cluster: cluster stanza 314
headerfilter-request-headers stanza 99
header_namesession-http-headers stanza 277
helpacnt-mgt stanza 10
hostldap stanza 161
host-header-in-request-loglogging stanza 174
host-ipssl-qop-mgmt-hosts stanza 301
hostname-junction-cookiescript-filtering stanza 223
HTML_tagfilter-events stanza 97filter-url stanza 101
html-redirectacnt-mgt stanza 11
httpserver stanza 237
http-method-disabled-localserver stanza 237
http-method-disabled-remoteserver stanza 238
http-portserver stanza 238
http-rsp-headeracnt-mgt stanza 10
http-timeoutjunction stanza 129
httpsserver stanza 239
https-portserver stanza 239
https-timeoutjunction stanza 129
ignore-missing-last-chunkserver stanza 240
inactive-timeoutsession stanza 266
input-adi-xml-prologaznapi-configuration stanza 26
insert-client-real-ip-for-option-rjunction stanza 130
interface_nameinterfaces stanza 111
intra-connection-timeoutserver stanza 240
Index 333
entries (continued)io-buffer-size
junction stanza 130server stanza 241
ip-support-levelserver stanza 242
ipaddr-authipaddr stanza 120
ipv6-supportserver stanza 243
is-enableditim stanza 112
is-mastercluster stanza 50
is-master-authn-servere-community-sso stanza 80
itim-server-nameitim stanza 112
itim-servlet-contextitim stanza 113
jct-cert-keyfilejunction stanza 131
jct-cert-keyfile-pwdjunction stanza 133
jct-cert-keyfile-stashjunction stanza 132
jct-gsk-attr-namessl stanza 287
jct-ltpa-cookie-nameltpa stanza 181
jct-ocsp-enablejunction stanza 133
jct-ocsp-max-response-sizejunction stanza 134
jct-ocsp-nonce-check-enablejunction stanza 134
jct-ocsp-nonce-generation-enablejunction stanza 135
jct-ocsp-proxy-server-namejunction stanza 135
jct-ocsp-proxy-server-portjunction stanza 136
jct-ocsp-urljunction stanza 136
jct-ssl-reneg-warning-ratejunction stanza 137
jct-undetermined-revocation-cert-action
junction stanza 137jmt-map
junction stanza 138keydatabase-file
itim stanza 114keydatabase-password
itim stanza 114keydatabase-password-file
itim stanza 115keyfile
ltpa stanza 182late-lockout-notification
server stanza 243level
authentication-levels stanza 22listen-flags
aznapi-configuration stanza 27local-response-redirect-uri
local-response-redirect stanza 170
entries (continued)log-invalid-requests
logging stanza 174logaudit
aznapi-configuration stanza 27logcfg
aznapi-configuration stanza 28logclientid
aznapi-configuration stanza 28logflush
aznapi-configuration stanza 29login
acnt-mgt stanza 11login-failures-persistent
ldap stanza 161login-redirect-page
acnt-mgt stanza 12login-success
acnt-mgt stanza 13logout
acnt-mgt stanza 13logout-remove-cookie
session stanza 266logsize
aznapi-configuration stanza 30ltpa-auth
ltpa stanza 179, 182ltpa-cache-enabled
ltpa-cache stanza 183ltpa-cache-entry-idle-timeout
ltpa-cache stanza 184ltpa-cache-entry-lifetime
ltpa-cache stanza 184ltpa-cache-size
ltpa-cache stanza 185macro
local-response-macros stanza 169managed-cookies-list
junction stanza 139mangle-domain-cookies
junction stanza 139master-authn-server
e-community-sso stanza 80master-http-port
e-community-sso stanza 81master-https-port
e-community-sso stanza 82master-name
cluster stanza 50match-vhj-first
junction stanza 140max-cached-persistent-connections
junction stanza 140max-client-read
server stanza 244max-entries
session stanza 267max-file-cat-command-length
server stanza 244max-file-descriptors
server stanza 245max-idle-persistent-connections
server stanza 246max-search-size
ldap stanza 162max-size
logging stanza 175
entries (continued)max-wait-time
cluster stanza 51max-webseal-header-size
junction stanza 141mime_type
compress-mime-types stanza 51MIME_type
content-cache stanza 53mode-param
oauth-eas stanza 191mpa
mpa stanza 185name
e-community-domains stanza 74preserve-cookie-names stanza 209
network-interfaceserver stanza 246
network/netmaskssl-qop-mgmt-networks
stanza 302non-identifiable
p3p-header stanza 197obligation
obligations-levels-mappingstanza 193
ocsp-enablessl stanza 288
ocsp-max-response-sizessl stanza 289
ocsp-nonce-check-enablessl stanza 289
ocsp-nonce-generation-enablessl stanza 290
ocsp-proxy-server-namessl stanza 290
ocsp-proxy-server-portssl stanza 291
ocsp-urlssl stanza 291
one-time-tokentfimsso: jct-id stanza 307
p3p-elementp3p-header stanza 197
pam-coalescer-parameterPAM stanza 204
pam-disabled-issuesPAM stanza 206
pam-enabledPAM stanza 202
pam-http-parameterPAM stanza 203
pam-log-audit-eventsPAM stanza 206
pam-log-cfglogging stanza 205
pam-max-memoryPAM stanza 202
pam-resource-rulePAM stanza 207
pam-use-proxy-headerPAM stanza 203
pass-http-only-cookie-atrjunction stanza 142
passwd-changeacnt-mgt stanza 14
334 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
entries (continued)passwd-change-failure
acnt-mgt stanza 14passwd-change-success
acnt-mgt stanza 15passwd-expired
acnt-mgt stanza 15passwd-warn
acnt-mgt stanza 16passwd-warn-failure
acnt-mgt stanza 16pattern
compress-user-agents stanza 52permission-info-returned
aznapi-configuration stanza 30persistent-con-timeout
junction stanza 142server stanza 247
ping-methodjunction stanza 143
ping-timejunction stanza 144
ping-urijunction stanza 144
policy-attr-separatoraznapi-configuration stanza 31
policy-cache-sizeaznapi-configuration stanza 31
policy-namecredential-policy-attributes
stanza 56port
ldap stanza 163pre-410-compatible-tokens
server stanza 247pre-510-compatible-token
server stanza 248prefer-readwrite-server
ldap stanza 162preserve-base-href
server stanza 248preserve-base-href2
server stanza 249preserve-p3p-policy
server stanza 249preserve-xml-token
tfimsso:jct-id stanza 308principal-name
itim stanza 116principal-password
itim stanza 116process-root-requests
server stanza 250prompt-for-displacement
session stanza 268propagate-cdmf-errors
cdsso stanza 38e-community-sso stanza 82
purposep3p-header stanza 198
realm-nameoauth-eas stanza 191
reauth-at-any-levelreauthentication stanza 210
reauth-extend-lifetimereauthentication stanza 210
entries (continued)reauth-for-inactive
reauthentication stanza 211reauth-reset-lifetime
reauthentication stanza 211recipient
p3p-header stanza 199recovery-ping-time
junction stanza 145redirect
enable-redirects stanza 87redirect-to-root-for-pkms
acnt-mgt stanza 17redirect-using-relative
server stanza 250referers
logging stanza 175register-authentication-failures
session stanza 268reissue-missing-failover-cookie
failover stanza 92reject-invalid-host-header
server stanza 251reject-request-transfer-encodings
server stanza 252remedies
p3p-header stanza 200renewal-window
tfimsso: jct-id stanza 308replica
ldap stanza 163replica-set
replica-sets stanza 213reprocess-root-jct-404s
junction stanza 146request-body-max-read
server stanza 252request-log-format
logging stanza 176request-max-cache
server stanza 253requests
logging stanza 176require-mpa
session stanza 269resend-webseal-cookies
session stanza 269reset-cookies-list
junction stanza 146resource-manager-provided-adi
aznapi-configuration stanza 32response-by
dsess-cluster stanza 62response-code-rules
junction stanza 147retain-eai-session
eai stanza 72retain-stepup-session
step-up stanza 303retention
p3p-header stanza 201rewrite-absolute-with-absolute
script-filtering stanza 224root
process-root-filter stanza 209rules-file
cert-map-authn stanza 47
entries (continued)scheme
filter-schemes stanza 100script-filter
script-filtering stanza 224search-timeout
ldap stanza 164send-constant-sess
session stanza 270send-header-ba-first
server stanza 253send-header-spnego-first
server stanza 254server
[rtss-cluster:<cluster>] stanza 219dsess-cluster stanza 62tfim-cluster: cluster stanza 315
server-log-cfglogging stanza 178
server-nameheader-names stanza 107server stanza 255
service-nametfimsso: jct-id stanza 309
service-password-dnitim stanza 117
service-source-dnitim stanza 118
service-token-card-dnitim stanza 119
servlet-portitim stanza 120
session-activity-timestampfailover-add-attributes stanza 94
session-lifetime-timestampfailover-add-attributes stanza 94
share-cookiesjunction stanza 148
shared-domain-cookiesession stanza 270
show-all-auth-promptsstep-up stanza 303
single-signoff-uriacnt-mgt stanza 17
slash-before-query-on-redirectserver stanza 255
ssl-enabledldap stanza 165
ssl-fips-enableddsess-cluster stanza 63rtss-cluster:<cluster> stanza 220tfim-cluster:<cluster> stanza 316
ssl-id-sessionssession stanza 271
ssl-keyfile[rtss-cluster:<cluster>] stanza 220dsess-cluster stanza 64ldap stanza 165ssl stanza 292tfim-cluster: cluster stanza 316
ssl-keyfile-dnldap stanza 166
ssl-keyfile-label[rtss-cluster:<cluster>] stanza 221dsess-cluster stanza 64ssl stanza 292tfim-cluster:cluster stanza 317
Index 335
entries (continued)ssl-keyfile-pwd
ldap stanza 167ssl stanza 293
ssl-keyfile-stash[rtss-cluster:<cluster>] stanza 222ssl stanza 293tfim-cluster: cluster stanza 318
ssl-local-domainssl stanza 294
ssl-max-entriesssl stanza 294
ssl-portldap stanza 167
ssl-qop-mgmtssl-qop stanza 299
ssl-session-cookie-namesession stanza 271
ssl-v2-timeoutssl stanza 295
ssl-v3-timeoutssl stanza 296
ssl-valid-server-dndsess-cluster stanza 65rtss-cluster:<cluster> stanza 222tfim-cluster:cluster stanza 318
standard-junction-replica-setsession stanza 272
step-up-at-higher-levelstep-up stanza 304
stepup-loginacnt-mgt stanza 18
strip-www-authenticate-headersserver stanza 256
substringillegal-url-substrings stanza 110
support-virtual-host-domain-cookiesjunction stanza 148
suppress-backend-server-identityserver stanza 256
suppress-client-ssl-errorsssl stanza 296
suppress-dynurl-parsing-of-postsserver stanza 257
suppress-server-identityserver stanza 258
switch-useracnt-mgt stanza 19
tag-value-missing-attr-tagserver stanza 258
tcp-session-cookie-namesession stanza 272
temp-cache-responseacnt-mgt stanza 19
temp-session-cookie-namesession stanza 273
temp-session-max-lifetimesession stanza 273
terminate-on-reauth-lockoutreauthentication stanza 212
tfim-cluster-nametfimsso: jct-id stanza 309
timeout[rtss-cluster:<cluster>] stanza 223dsess-cluster stanza 66ldap stanza 168session stanza 274
entries (continued)timeout (continued)
tfim-cluster: cluster stanza 319token-collection-size
tfimsso: jct-id stanza 310token-transmit-name
tfimsso: jct-id stanza 311token-transmit-type
tfimsso: jct-id stanza 311token-type
tfimsso: jct-id stanza 310too-many-sessions
acnt-mgt stanza 20trace-component
oauth-eas stanza 192rtss-eas stanza 216
triggereai-trigger-urls stanza 72, 73
typecontent-index-icons stanza 55filter-content-types stanza 96
unauthorized-rsp-fileoauth-eas stanza 192
undetermined-revocation-cert-actionssl stanza 297
update-session-cookie-in-login-requestsession stanza 275
use-existing-username-macro-in-custom-redirects
server stanza 259use-filename-for-pkmslogout
acnt-mgt stanza 21use-full-dn
ltpa stanza 183use-http-only-cookies
server stanza 259use-new-stateful-on-error
junction stanza 149use-restrictive-logout-filenames
acnt-mgt stanza 20use-same-session
session stanza 276use-utf8
cdsso stanza 38e-community-sso stanza 83failover stanza 93
user-and-group-in-same-suffixldap stanza 168
user-session-idssession stanza 275
user-session-ids-include-replica-setsession stanza 276
utf8-form-support-enabledserver stanza 260
utf8-qstring-support-enabledserver stanza 260
utf8-template-macros-enabledcontent stanza 53
utf8-url-support-enabledserver stanza 261
validate-backend-domain-cookiesjunction stanza 150
validate-query-as-gaserver stanza 261
verify-step-up-userstep-up stanza 304
entries (continued)vf-argument
e-community-sso stanza 83vf-token-lifetime
e-community-sso stanza 84vf-url
e-community-sso stanza 84web-host-name
server stanza 262web-http-port
server stanza 263web-http-protocol
server stanza 263webseal-cert-keyfile
ssl stanza 297webseal-cert-keyfile-label
ssl stanza 298webseal-cert-keyfile-pwd
ssl stanza 298webseal-cert-keyfile-stash
ssl stanza 299worker-thread-hard-limit
junction stanza 150worker-thread-soft-limit
junction stanza 151worker-threads
server stanza 264xsl-stylesheet-prolog
aznapi-configuration stanza 33entries dsess-cluster stanza
handle-idle-timeout 61ssl-keyfile-stash 65
env-name stanza entrysystem-environment-variables
stanza 305exclude stanza entry
cfg-db-cmd:entries stanza 48extension stanza entry
content-encodings stanza 54
Ffailover stanza 87
clean-ecsso-urls-for-failover entry 87enable-failover-cookie-for-domain
entry 88failover-auth entry 89failover-cookie-lifetime entry 89failover-cookies-keyfile entry 90failover-include-session-id entry 90failover-require-activity-timestamp-
validation entry 91failover-require-lifetime-timestamp-
validation entry 91failover-update-cookie entry 92reissue-missing-failover-cookie
entry 92use-utf8 entry 93
failover-add-attributes stanza 93attribute_pattern entry 93session-activity-timestamp entry 94session-lifetime-timestamp entry 94
failover-auth stanza entryfailover stanza 89
failover-cookie-lifetime stanza entryfailover stanza 89
336 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
failover-cookies-keyfile stanza entryfailover stanza 90
failover-include-session-id stanza entryfailover stanza 90
failover-require-activity-timestamp-validation stanza entry
failover stanza 91failover-require-lifetime-timestamp-
validation stanza entryfailover stanza 91
failover-restore-attributes stanza 95attribute_pattern entry 95, 96
failover-update-cookie stanza entryfailover stanza 92
fed-id-param stanza entryoauth-eas stanza 190
Federal Information Process Standards(FIPS)
ssl-fips-enabled stanza entry 63files
includecfg-db-cmd:files stanza 49
filter-content-types stanza 96type entry 96
filter-events stanza 97HTML_tag entry 97
filter-nonhtml-as-xhtml stanza entryserver stanza 236
filter-request-headers stanza 99header entry 99
filter-schemes stanza 100scheme entry 100
filter-url stanza 101HTML_tag entry 101
FIPS (Federal Information ProcessStandards )
ssl-fips-enabled stanza entry 63fips-mode-processing stanza entry
ssl stanza 284flow-data stanza 102
flow-data-enabled entry 102flow-data-stats-interval entry 103
flow-data-enabled stanza entryflow-data stanza 102
flow-data-stats-interval stanza entryflow-data stanza 103
flush-time stanza entrylogging stanza 173
force-tag-value-prefixstanza entryserver stanza 236
forms stanza 103allow-empty-form-fields entry 103forms-auth entry 104
forms-auth stanza entryforms stanza 104
fully_qualified_hostname stanza entrycdsso-peers stanza 40
Ggmt-time stanza entry
logging stanza 173gsk-attr-name stanza entry
dsess-cluster stanza 60ssl stanza 284tfim-cluster: cluster stanza 313
gsk-crl-cache-entry-lifetime stanza entryssl stanza 286
gsk-crl-cache-size stanza entryssl stanza 286
gskcapicmd xiigskikm.jar xiiGSKit
documentation xiigso-cache stanza 105
gso-cache-enabled entry 105gso-cache-entry-idle-timeout
entry 105gso-cache-entry-lifetime entry 106gso-cache-size entry 106
gso-cache-enabled stanza entrygso-cache stanza 105
gso-cache-entry-idle-timeout stanza entrygso-cache stanza 105
gso-cache-entry-lifetime stanza entrygso-cache stanza 106
gso-cache-size stanza entrygso-cache stanza 106
Hhandle-auth-failure-at-mas stanza entry
e-community-sso stanza 79handle-idle-timeout stanza entry
dsess-cluster stanza 61tfim-cluster: stanza 314xacml-cluster: stanza 218
handle-pool-size stanza entrydsess-cluster stanza 61tfim-cluster: cluster stanza 314xacml-cluster: cluster stanzacluster>]
stanza 218header stanza entry
filter-request-headers stanza 99header_name stanza entry
session-http-headers stanza 277header-names stanza 107
server-name entry 107help stanza entry
acnt-mgt stanza 10host stanza entry
ldap stanza 161host-header-in-request-log stanza entry
logging stanza 174host-ip stanza entry
ssl-qop-mgmt-hosts stanza 301hostname-junction-cookie stanza entry
script-filtering stanza 223HTML_tag stanza entry
filter-events stanza 97filter-url stanza 101
html-redirect stanza entryacnt-mgt stanza 11
http stanza entryserver stanza 237
http-method-disabled-local stanza entryserver stanza 237
http-method-disabled-remote stanza entryserver stanza 238
http-port stanza entryserver stanza 238
http-rsp-header stanza entryacnt-mgt stanza 10
http-timeout stanza entryjunction stanza 129
http-transformations stanza 107resource-name entry 107
https stanza entryserver stanza 239
https-port stanza entryserver stanza 239
https-timeout stanza entryjunction stanza 129
IIBM
Software Support xivSupport Assistant xiv
icap stanza 109ICAP stanza 109, 110ICAP: resource 109, 110ICAP:resource 109ignore-missing-last-chunk stanza entry
server stanza 240iKeyman xiiillegal-url-substrings stanza 110
substring entry 110inactive-timeout stanza entry
session stanza 266include stanza entry
cfg-db-cmd:files stanza 49input-adi-xml-prolog stanza entry
aznapi-configuration stanza 26insert-client-real-ip-for-option-r stanza
entryjunction stanza 130
interface_name stanza entryinterfaces stanza 111
interfaces stanza 111interface_name entry 111
internet content adaptation protocol 109,110
intra-connection-timeout stanza entryserver stanza 240
io-buffer-size stanza entryjunction stanza 130server stanza 241
ip-support-level stanza entryserver stanza 242
ipaddr stanzaipaddr-auth entry 120
ipaddr-auth stanza entryipaddr stanza 120
ipv6-support stanza entryserver stanza 243
is-enabled stanza entryitim stanza 112
is-master stanza entrycluster stanza 50
is-master-authn-server stanza entrye-community-sso stanza 80
itim stanza 112is-enabled entry 112itim-server-name entry 112itim-servlet-context entry 113keydatabase-file entry 114keydatabase-password entry 114keydatabase-password-file entry 115principal-name entry 116
Index 337
itim stanza (continued)principal-password entry 116service-password-dn entry 117service-source-dn entry 118service-token-card-dn entry 119servlet-port entry 120
itim-server-name stanza entryitim stanza 112
itim-servlet-context stanza entryitim stanza 113
Jjct-cert-keyfile stanza entry
junction stanza 131jct-cert-keyfile-pwd stanza entry
junction stanza 133jct-cert-keyfile-stash stanza entry
junction stanza 132jct-gsk-attr-name stanza entry
ssl stanza 287jct-ltpa-cookie-name stanza entry
ltpa stanza 181jct-ocsp-enable stanza entry
junction stanza 133jct-ocsp-max-response-size stanza entry
junction stanza 134jct-ocsp-nonce-check-enable stanza entry
junction stanza 134jct-ocsp-nonce-generation-enable stanza
entryjunction stanza 135
jct-ocsp-proxy-server-name stanza entryjunction stanza 135
jct-ocsp-proxy-server-port stanza entryjunction stanza 136
jct-ocsp-url stanza entryjunction stanza 136
jct-ssl-reneg-warning-rate stanza entryjunction stanza 137
jct-undetermined-revocation-cert-actionstanza entry
junction stanza 137jdb-cmd:replace stanza 120jmt-map stanza entry
junction stanza 138junction stanza 121
allow-backend-domain-cookiesentry 121, 128
basicauth-dummy-passwd entry 122crl-ldap-server entry 122crl-ldap-server-port entry 123crl-ldap-user entry 123crl-ldap-user-password entry 124disable-ssl-v2 entry 124disable-ssl-v3 entry 125disable-tls-v1 entry 125disable-tls-v11 entry 126disable-tls-v12 entry 126dont-reprocess-jct-404s entry 127http-timeout entry 129https-timeout entry 129insert-client-real-ip-for-option-r
entry 130io-buffer-size entry 130jct-cert-keyfile entry 131jct-cert-keyfile-pwd entry 133
junction stanza (continued)jct-cert-keyfile-stash entry 132jct-ocsp-enable entry 133jct-ocsp-max-response-size entry 134jct-ocsp-nonce-check-enable
entry 134jct-ocsp-nonce-generation-enable
entry 135jct-ocsp-proxy-server-name entry 135jct-ocsp-proxy-server-port entry 136jct-ocsp-url entry 136jct-ssl-reneg-warning-rate entry 137jct-undetermined-revocation-cert-
action entry 137jmt-map entry 138managed-cookies-list entry 139mangle-domain-cookies entry 139match-vhj-first entry 140max-cached-persistent-connections
entry 140max-webseal-header-size entry 141pass-http-only-cookie-atr entry 142persistent-con-timeout entry 142ping-method entry 143ping-time entry 144ping-uri entry 144recovery-ping-time entry 145reprocess-root-jct-404s entry 146reset-cookies-list entry 146response-code-rules entry 147share-cookies entry 148support-virtual-host-domain-cookies
entry 148use-new-stateful-on-error entry 149validate-backend-domain-cookies
entry 150worker-thread-hard-limit entry 150worker-thread-soft-limit entry 151
junction:junction_name stanza 152
Kkey xiikeydatabase-file stanza entry
itim stanza 114keydatabase-password stanza entry
itim stanza 114keydatabase-password-file stanza entry
itim stanza 115keyfile stanza entry
ltpa stanza 182
Llate-lockout-notification stanza entry
server stanza 243LDAP server
on z/OS xiildap stanza 152
auth-timeout entry 152auth-using-compare entry 153bind-dn entry 153bind-pwd entry 154cache-enabled entry 154cache-group-expire-time entry 155cache-group-membership entry 155
ldap stanza (continued)cache-group-size entry 156cache-policy-expire-time entry 156cache-policy-size entry 157cache-return-registry-id entry 157cache-use-user-cache entry 159cache-user-expire-time entry 158cache-user-size entry 158default-policy-override-support
entry 159enabled entry 160host entry 161login-failures-persistent entry 161max-search-size entry 162port entry 163prefer-readwrite-server entry 162replica entry 163search-timeout entry 164ssl-enabled entry 165ssl-keyfile entry 165ssl-keyfile-dn entry 166ssl-keyfile-pwd entry 167ssl-port entry 167timeout entry 168user-and-group-in-same-suffix
entry 168level stanza entry
authentication-levels stanza 22listen-flags stanza entry
aznapi-configuration stanza 27local junctions
disable 151local-response-macros stanza 169
macro entry 169local-response-redirect stanza 170
local-response-redirect-uri entry 170local-response-redirect-uri stanza entry
local-response-redirect stanza 170log-invalid-requests stanza entry
logging stanza 174logaudit stanza entry
aznapi-configuration stanza 27logcfg stanza entry
aznapi-configuration stanza 28logclientid stanza entry
aznapi-configuration stanza 28logflush stanza entry
aznapi-configuration stanza 29logging stanza 171
absolute-uri-in-request-log entry 171agents entry 171audit-mime-types entry 172audit-response-codes entry 172flush-time entry 173gmt-time entry 173host-header-in-request-log entry 174log-invalid-requests entry 174max-size entry 175pam-log-cfg entry 205referers entry 175request-log-format entry 176requests entry 176server-log-cfg entry 178
login stanza entryacnt-mgt stanza 11
login-failures-persistent stanza entryldap stanza 161
338 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
login-redirect-page stanza entryacnt-mgt stanza 12
login-success stanza entryacnt-mgt stanza 13
logout stanza entryacnt-mgt stanza 13
logout-remove-cookie stanza entrysession stanza 266
logsize stanza entryaznapi-configuration stanza 30
ltpa stanza 179cookie-domain entry 180cookie-name entry 180jct-ltpa-cookie-name entry 181keyfile entry 182ltpa-auth entry 179, 182use-full-dn entry 183
ltpa-auth stanza entryltpa stanza 179, 182
ltpa-cache stanza 183ltpa-cache-enabled entry 183ltpa-cache-entry-idle-timeout
entry 184ltpa-cache-entry-lifetime entry 184ltpa-cache-size entry 185
ltpa-cache-enabled stanza entryltpa-cache stanza 183
ltpa-cache-entry-idle-timeout stanza entryltpa-cache stanza 184
ltpa-cache-entry-lifetime stanza entryltpa-cache stanza 184
ltpa-cache-size stanza entryltpa-cache stanza 185
Mmacro stanza entry
local-response-macros stanza 169managed-cookies-list stanza entry
junction stanza 139mangle-domain-cookies stanza entry
junction stanza 139master-authn-server stanza entry
e-community-sso stanza 80master-http-port stanza entry
e-community-sso stanza 81master-https-port stanza entry
e-community-sso stanza 82master-name stanza entry
cluster stanza 50match-vhj-first stanza entry
junction stanza 140max-cached-persistent-connectionse
stanza entryjunction stanza 140
max-client-read stanza entryserver stanza 244
max-entries stanza entrysession stanza 267
max-file-cat-command-length stanza entryserver stanza 244
max-file-descriptors stanza entryserver stanza 245
max-idle-persistent-connections stanzaentry
server stanza 246
max-search-size stanza entryldap stanza 162
max-size stanza entrylogging stanza 175
max-wait-time stanza entrycluster stanza 51
max-webseal-header-size stanza entryjunction stanza 141
mime_type stanza entrycompress-mime-types stanza 51
MIME_type stanza entrycontent-cache stanza 53
mode-param stanza entryoauth-eas stanza 191
mpa stanza 185mpa entry 185
mpa stanza entrympa stanza 185
Nname stanza entry
e-community-domains stanza 74preserve-cookie-names stanza 209
network-interface stanza entryserver stanza 246
network/netmask stanza entryssl-qop-mgmt-networks stanza 302
non-identifiable stanza entryp3p-header stanza 197
Ooauth-eas stanza 186
apply-tam-native-policy entry 186bad-gateway-rsp-file entry 187bad-request-rsp-file entry 187cache-size entry 188cluster-name entry 188default-fed-id entry 189default-mode entry 189fed-id-param entry 190mode-param entry 191realm-name entry 191trace-component entry 192unauthorized-rsp-file entry 192
obligation stanza entryobligations-levels-mapping
stanza 193obligations-levels-mapping stanza 193
obligation entry 193ocsp-enable stanza entry
ssl stanza 288ocsp-max-response-size stanza entry
ssl stanza 289ocsp-nonce-check-enable stanza entry
ssl stanza 289ocsp-nonce-generation-enable stanza
entryssl stanza 290
ocsp-proxy-server-name stanza entryssl stanza 290
ocsp-proxy-server-port stanza entryssl stanza 291
ocsp-url stanza entryssl stanza 291
one-time-token stanza entrytfimsso: stanza 307
onlinepublications ixterminology ix
Pp3p-element stanza entry
p3p-header stanza 197p3p-header stanza 194
access entry 194categories entry 195disputes entry 196non-identifiable entry 197p3p-element entry 197purpose entry 198recipient entry 199remedies entry 200retention entry 201
PAM stanza 202pam-coalescer-parameter entry 204pam-disabled-issues entry 206pam-enabled entry 202pam-http-parameter entry 203pam-log-audit-events entry 206pam-max-memory entry 202pam-resource-rule entry 207pam-use-proxy-header entry 203
pam-coalescer-parameter stanza entryPAM stanza 204
pam-disabled-issues stanza entryPAM stanza 206
pam-enabled stanza entryPAM stanza 202
pam-http-parameter stanza entryPAM stanza 203
pam-log-audit-events stanza entryPAM stanza 206
pam-log-cfg stanza entrylogging stanza 205
pam-max-memory stanza entryPAM stanza 202
pam-resource-rule entryPAM stanza 207
pam-resource:URI stanza<URI>stanza 208
pam-resource:URI stanzaURI stanzapam-issue entry 208
pam-use-proxy-header stanza entryPAM stanza 203
pass-http-only-cookie-atr stanza entryjunction stanza 142
passwd-change stanza entryacnt-mgt stanza 14
passwd-change-failure stanza entryacnt-mgt stanza 14
passwd-change-success stanza entryacnt-mgt stanza 15
passwd-expired stanza entryacnt-mgt stanza 15
passwd-warn stanza entryacnt-mgt stanza 16
passwd-warn-failure stanza entryacnt-mgt stanza 16
pattern stanza entrycompress-user-agents stanza 52
Index 339
permission-info-returned stanza entryaznapi-configuration stanza 30
persistent-con-timeout stanza entryjunction stanza 142server stanza 247
ping-method stanza entryjunction stanza 143
ping-time stanza entryjunction stanza 144
ping-uri stanza entryjunction stanza 144
policy-attr-separator stanza entryaznapi-configuration stanza 31
policy-cache-size stanza entryaznapi-configuration stanza 31
policy-name stanza entrycredential-policy-attributes stanza 56
port stanza entryldap stanza 163
pre-410-compatible-tokens stanza entryserver stanza 247
pre-510-compatible-token stanza entryserver stanza 248
prefer-readwrite-server stanza entryldap stanza 162
preserve-base-href stanza entryserver stanza 248
preserve-base-href2 stanza entryserver stanza 249
preserve-cookie-names stanza 209name entry 209
preserve-p3p-policy stanza entryserver stanza 249
preserve-xml-token stanza entrytfimsso: stanza 308
principal-name stanza entryitim stanza 116
principal-password stanza entryitim stanza 116
problem-determination xivprocess-root-filter stanza 209
root entry 209process-root-requests stanza entry
server stanza 250prompt-for-displacement stanza entry
session stanza 268propagate-cdmf-errors stanza entry
cdsso stanza 38e-community-sso stanza 82
publicationsaccessing online ixlist of for this product ix
purpose stanza entryp3p-header stanza 198
Rrealm-name stanza entry
oauth-eas stanza 191reauth-at-any-level stanza entry
reauthentication stanza 210reauth-extend-lifetime stanza entry
reauthentication stanza 210reauth-for-inactive stanza entry
reauthentication stanza 211reauth-reset-lifetime stanza entry
reauthentication stanza 211
reauthentication stanza 210reauth-at-any-level entry 210reauth-extend-lifetime entry 210reauth-for-inactive entry 211reauth-reset-lifetime entry 211terminate-on-reauth-lockout
entry 212recipient stanza entry
p3p-header stanza 199recovery-ping-time stanza entry
junction stanza 145redirect stanza entry
enable-redirects stanza 87redirect-to-root-for-pkms stanza entry
acnt-mgt stanza 17redirect-using-relative stanza entry
server stanza 250referers stanza entry
logging stanza 175register-authentication-failures stanza
entrysession stanza 268
reissue-missing-failover-cookie stanzaentry
failover stanza 92reject-invalid-host-header stanza entry
server stanza 251reject-request-transfer-encodings stanza
entryserver stanza 252
remedies stanza entryp3p-header stanza 200
renewal-window stanza entrytfimsso: stanza 308
replica stanza entryldap stanza 163
replica-set stanza entryreplica-sets stanza 213
replica-sets stanza 213replica-set entry 213
reprocess-root-jct-404s stanza entryjunction stanza 146
request-body-max-read stanza entryserver stanza 252
request-log-format stanza entrylogging stanza 176
request-max-cache stanza entryserver stanza 253
requests stanza entrylogging stanza 176
require-mpa stanza entrysession stanza 269
resend-webseal-cookies stanza entrysession stanza 269
reset-cookies-list stanza entryjunction stanza 146
resource-manager-provided-adi stanzaentry
aznapi-configuration stanza 32response-by stanza entry
dsess-cluster stanza 62response-code-rules entry
junction stanza 147retain-eai-session stanza entry
eai stanza 72retain-stepup-session stanza entry
step-up stanza 303
retention stanza entryp3p-header stanza 201
rewrite-absolute-with-absolute stanzaentry
script-filtering stanza 224root stanza entry
process-root-filter stanza 209rtss-eas stanza
apply-tam-native-policy entry 213audit-log-cfg entry 214cluster-name entry 215context-id entry 216trace-component entry 216
rtss-eas stanza rtss-easstanzas 213
rules-file stanza entrycert-map-authn stanza 47
Sscheme stanza entry
filter-schemes stanza 100script-filter stanza entry
script-filtering stanza 224script-filtering stanza 223
hostname-junction-cookie entry 223rewrite-absolute-with-absolute
entry 224script-filter entry 224
search-timeout stanza entryldap stanza 164
send-constant-sess stanza entrysession stanza 270
send-header-ba-first stanza entryserver stanza 253
send-header-spnego-first stanza entryserver stanza 254
server stanza 225allow-shift-jis-chars entry 225allow-unauth-ba-supply 225allow-unsolicited-logins 226auth-challenge-type entry 227cache-host-header entry 228capitalize-content-length entry 229chunk-responses entry 230client-connect-timeout entry 229concurrent-session-threads-hard-limit
entry 230concurrent-session-threads-soft-limit
entry 231connection-request-limit entry 231cope-with-pipelined-request
entry 232decode-query entry 232disable-timeout-reduction entry 233double-byte-encoding entry 233dynurl-allow-large-posts entry 234dynurl-map entry 235enable-IE6-2GB-downloads entry 235filter-nonhtml-as-xhtml entry 236force-tag-value-prefix entry 236http entry 237http-method-disabled-local entry 237http-method-disabled-remote
entry 238http-port entry 238https entry 239
340 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
server stanza (continued)https-port entry 239ignore-missing-last-chunk entry 240intra-connection-timeout entry 240io-buffer-size entry 241ip-support-level entry 242ipv6-support entry 243late-lockout-notification entry 243max-client-read entry 244max-file-cat-command-length
entry 244max-file-descriptors entry 245max-idle-persistent-connections
entry 246network-interface entry 246persistent-con-timeout entry 247pre-410-compatible-tokens entry 247pre-510-compatible-token entry 248preserve-base-href entry 248preserve-base-href2 entry 249preserve-p3p-policy entry 249process-root-requests entry 250redirect-using-relative entry 250reject-invalid-host-header entry 251reject-request-transfer-encodings
entry 252request-body-max-read entry 252request-max-cache entry 253send-header-ba-first 253send-header-spnego-first 254server-name entry 255slash-before-query-on-redirect
entry 255strip-www-authenticate-headers
entry 256suppress-backend-server-identity
entry 256suppress-dynurl-parsing-of-posts
entry 257suppress-server-identity entry 258tag-value-missing-attr-tag entry 258use-existing-username-macro-in-
custom-redirects entry 259use-http-only-cookies entry 259utf8-form-support-enabled entry 260utf8-qstring-support-enabled
entry 260utf8-url-support-enabled entry 261validate-query-as-ga entry 261web-host-name entry 262web-http-port entry 263web-http-protocol entry 263worker-threads entry 264
server stanza entrydsess-cluster stanza 62tfim-cluster: cluster stanzacluster
stanza 315xacml-cluster: cluster stanzacluster>]
stanza 219server-log-cfg stanza entry
logging stanza 178server-name stanza entry
header-names stanza 107server stanza 255
service-name stanza entrytfimsso: jct-id stanza 309
service-password-dn stanza entryitim stanza 117
service-source-dn stanza entryitim stanza 118
service-token-card-dn stanza entryitim stanza 119
servlet-port stanza entryitim stanza 120
session stanza 264dsess-enabled entry 264dsess-last-access-update-interval
entry 265enforce-max-sessions-policy
entry 265inactive-timeout entry 266logout-remove-cookie entry 266max-entries entry 267prompt-for-displacement entry 268register-authentication-failures
entry 268require-mpa entry 269resend-webseal-cookies entry 269send-constant-sess entry 270shared-domain-cookie entry 270ssl-id-sessions entry 271ssl-session-cookie-name entry 271standard-junction-replica-set
entry 272tcp-session-cookie-name entry 272temp-session-cookie-name entry 273temp-session-max-lifetime entry 273timeout entry 274update-session-cookie-in-login-request
entry 275use-same-session entry 276user-session-ids entry 275user-session-ids-include-replica-set
entry 276session-activity-timestamp stanza entry
failover-add-attributes stanza 94session-cookie-domains stanza 277
domain entry 277session-http-headers stanza 277
header_name entry 277session-lifetime-timestamp stanza entry
failover-add-attributes stanza 94share-cookies stanza entry
junction stanza 148shared-domain-cookie stanza entry
session stanza 270show-all-auth-prompts stanza entry
step-up stanza 303single-signoff-uri stanza entry
acnt-mgt stanza 17slash-before-query-on-redirect stanza
entryserver stanza 255
ssl stanza 278base-crypto-library entry 278crl-ldap-server entry 278crl-ldap-server-port entry 279crl-ldap-user entry 280crl-ldap-user-password entry 280disable-ssl-v2 entry 281disable-ssl-v3 entry 281disable-tls-v1 entry 282disable-tls-v11 entry 282
ssl stanza (continued)disable-tls-v12 entry 283enable-duplicate-ssl-dn-not-found-
msgs entry 283fips-mode-processing entry 284gsk-attr-name entry 284gsk-crl-cache-entry-lifetime entry 286gsk-crl-cache-size entry 286jct-gsk-attr-name entry 287ocsp-enable entry 288ocsp-max-response-size entry 289ocsp-nonce-check-enable entry 289ocsp-nonce-generation-enable
entry 290ocsp-proxy-server-name entry 290ocsp-proxy-server-port entry 291ocsp-url entry 291ssl-keyfile entry 292ssl-keyfile-label entry 292ssl-keyfile-pwd entry 293ssl-keyfile-stash entry 293ssl-local-domain entry 294ssl-max-entries entry 294ssl-v2-timeout entry 295ssl-v3-timeout entry 296suppress-client-ssl-errors entry 296undetermined-revocation-cert-action
entry 297webseal-cert-keyfile entry 297webseal-cert-keyfile-label entry 298webseal-cert-keyfile-pwd entry 298webseal-cert-keyfile-stash entry 299
ssl-enabled stanza entryldap stanza 165
ssl-fips-enabled stanza entrydsess-cluster stanza 63tfim-cluster:cluster stanzacluster>
stanza 316xacml-cluster:cluster stanzacluster>
stanza 220ssl-id-sessions stanza entry
session stanza 271ssl-keyfile stanza entry
dsess-cluster stanza 64ldap stanza 165ssl stanza 292tfim-cluster: stanza 316xacml-cluster:cluster stanzacluster>]
stanza 220ssl-keyfile-dn stanza entry
ldap stanza 166ssl-keyfile-label stanza entry
dsess-cluster stanza 64ssl stanza 292tfim-cluster: stanza 317xacml-cluster:cluster stanzacluster>]
stanza 221ssl-keyfile-pwd stanza entry
ldap stanza 167ssl stanza 293
ssl-keyfile-stash stanza entrydsess-cluster stanza 65ssl stanza 293xacml-cluster:cluster stanzacluster>]
stanza 222
Index 341
ssl-keyfile-stash stanza entry clusterstanza
tfim-cluster: stanza 318ssl-local-domain stanza entry
ssl stanza 294ssl-max-entries stanza entry
ssl stanza 294ssl-port stanza entry
ldap stanza 167ssl-qop stanza 299
ssl-qop-mgmt entry 299ssl-qop-mgmt stanza entry
ssl-qop stanza 299ssl-qop-mgmt-default stanza 300
default entry 300ssl-qop-mgmt-hosts stanza 301
host-ip entry 301ssl-qop-mgmt-networks stanza 302
network/netmask entry 302ssl-session-cookie-name stanza entry
session stanza 271ssl-v2-timeout stanza entry
ssl stanza 295ssl-v3-timeout stanza entry
ssl stanza 296ssl-valid-server-dn stanza entry
dsess-cluster stanza 65tfim-cluster:cluster stanzacluster
stanza 318xacml-cluster:cluster stanzacluster>
stanza 222standard-junction-replica-set stanza entry
session stanza 272stanza
ICAP: resource 109tfim-cluster: cluster 312xacml-cluster: 217
StanzaICAP:resource 109
stanza cluster 218stanza entry 40, 48, 86stanza reference 1stanzas
acnt-mgt 1auth-cookies 21authentication-levels 22azn-decision-info 33aznapi-configuration 23ba 34cdsso 35cdsso-incoming-attributes 39cdsso-peers 40cdsso-token-attributes 40cert-map-authn 47certificate 42cfg-db-cmd:entries 48cfg-db-cmd:files 49cluster 49compress-mime-types 51compress-user-agents 52content 53content-cache 53content-encodings 54content-index-icons 55credential-policy-attributes 56credential-refresh-attributes 57dsess 58
stanzas (continued)dsess-cluster 59e-community-domain-keys 74e-community-domain-
keys:domain 75e-community-domains 74e-community-sso 75eai 66eai-trigger-urls 72ecsso-incoming-attributes 85ecsso-token-attributes 86enable-redirects 87failover 87failover-add-attributes 93failover-restore-attributes 95filter-content-types 96filter-events 97filter-request-headers 99filter-schemes 100filter-url 101flow-data 102forms 103gso-cache 105header-names 107http-transformations 107icap 109illegal-url-substrings 110interfaces 111itim 112junction 121junction:junction_name 152ldap 152local-response-macros 169local-response-redirect 170logging 171ltpa 179ltpa-cache 183mpa 185oauth-eas 186obligations-levels-mapping 193p3p-header 194PAM 202pam-resource:<URI> 208preserve-cookie-names 209process-root-filter 209reauthentication 210replica-sets 213script-filtering 223server 225session 264session-cookie-domains 277session-http-headers 277ssl 278ssl-qop 299ssl-qop-mgmt-default 300ssl-qop-mgmt-hosts 301ssl-qop-mgmt-networks 302step-up 303system-environment-variables 305tfimsso: 306uraf-registry 319user-agent 322
step-up stanza 303retain-stepup-session entry 303show-all-auth-prompts entry 303step-up-at-higher-level entry 304verify-step-up-user entry 304
step-up-at-higher-level stanza entrystep-up stanza 304
stepup-login stanza entryacnt-mgt stanza 18
strip-www-authenticate-headers stanzaentry
server stanza 256substring stanza entry
illegal-url-substrings stanza 110support-virtual-host-domain-cookies
stanza entryjunction stanza 148
suppress-backend-server-identity stanzaentry
server stanza 256suppress-client-ssl-errors stanza entry
ssl stanza 296suppress-dynurl-parsing-of-posts stanza
entryserver stanza 257
suppress-server-identity stanza entryserver stanza 258
switch-user stanza entryacnt-mgt stanza 19
system-environment-variablesstanza 305
env-name entry 305
Ttag-value-missing-attr-tag stanza entry
server stanza 258tcp-session-cookie-name stanza entry
session stanza 272temp-cache-response stanza entry
acnt-mgt stanza 19temp-session-cookie-name stanza entry
session stanza 273temp-session-max-lifetime stanza entry
session stanza 273terminate-on-reauth-lockout stanza entry
reauthentication stanza 212terminology ixtfim-cluster-name stanza entry
tfimsso: stanza 309tfim-cluster: cluster stanza
basic-auth-passwd entry 312basic-auth-user entry 312gsk-attr-name entry 313handle-idle-timeout entry 314handle-pool-size entry 314ssl-keyfile entry 316timeout entry 319
tfim-cluster: cluster stanzaclusterstanza 312
server entry 315ssl-keyfile-label entry 317ssl-keyfile-stash entry 318ssl-valid-server-dn entry 318
tfim-cluster: cluster stanzacluster> stanzassl-fips-enabled entry 316
tfimsso: jct-id stanza 306always-send-tokens entry 306applies-to entry 307one-time-token entry 307preserve-xml-token entry 308renewal-window entry 308
342 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
tfimsso: jct-id stanza (continued)service-name entry 309tfim-cluster-name entry 309token-collection-size entry 310token-transmit-name entry 311token-transmit-type entry 311token-type entry 310
timeout stanza entrydsess-cluster stanza 66ldap stanza 168session stanza 274tfim-cluster: stanza 319xacml-cluster: cluster stanzacluster>]
stanza 223Tivoli Directory Integrator xiiTivoli Directory Server xiitoken-collection-size stanza entry
tfimsso: stanza 310token-transmit-name stanza entry
tfimsso: stanza 311token-transmit-type stanza entry
tfimsso: stanza 311token-type stanza entry
tfimsso: stanza 310too-many-sessions stanza entry
acnt-mgt stanza 20trace-component stanza entry
oauth-eas stanza 192rtss-eas stanza 216
training xivtrigger stanza entry
eai-trigger-urls stanza 72, 73troubleshooting xivtstanza
ICAP:resource 110type stanza entry
content-index-icons stanza 55filter-content-types stanza 96
Uunauthorized-rsp-file stanza entry
oauth-eas stanza 192undetermined-revocation-cert-action
stanza entryssl stanza 297
update-session-cookie-in-login-requeststanza entry
session stanza 275uraf-registry stanza 319
bind-id entry 319cache-lifetime entry 320cache-mode entry 321cache-size entry 321
use-existing-username-macro-in-custom-redirects stanza entry
server stanza 259use-filename-for-pkmslogout stanza entry
acnt-mgt stanza 21use-full-dn stanza entry
ltpa stanza 183use-http-only-cookies stanza entry
server stanza 259use-new-stateful-on-error stanza entry
junction stanza 149
use-restrictive-logout-filenames stanzaentry
acnt-mgt stanza 20use-same-session stanza entry
session stanza 276use-utf8 stanza entry
cdsso stanza 38e-community-sso stanza 83failover stanza 93
user-agent stanza 322user-agent entry 322
user-and-group-in-same-suffix stanzaentry
ldap stanza 168user-session-ids stanza entry
session stanza 275user-session-ids-include-replica-set stanza
entrysession stanza 276
utf8-form-support-enabled stanza entryserver stanza 260
utf8-qstring-support-enabled stanza entryserver stanza 260
utf8-template-macros-enabled stanzaentry
content stanza 53utf8-url-support-enabled stanza entry
server stanza 261
Vvalidate-backend-domain-cookies stanza
entryjunction stanza 150
validate-query-as-ga stanza entryserver stanza 261
verify-step-up-user stanza entrystep-up stanza 304
vf-argument stanza entrye-community-sso stanza 83
vf-token-lifetime stanza entrye-community-sso stanza 84
vf-url stanza entrye-community-sso stanza 84
Wweb-host-name stanza entry
server stanza 262web-http-port stanza entry
server stanza 263web-http-protocol stanza entry
server stanza 263webseal-cert-keyfile stanza entry
ssl stanza 297webseal-cert-keyfile-label stanza entry
ssl stanza 298webseal-cert-keyfile-pwd stanza entry
ssl stanza 298webseal-cert-keyfile-stash stanza entry
ssl stanza 299WebSphere Application Server Network
Deployment xiiWebSphere eXtreme Scale xiiworker-thread-hard-limit stanza entry
junction stanza 150
worker-thread-soft-limit stanza entryjunction stanza 151
worker-threads stanza entryserver stanza 264
Xxacml-cluster: cluster stanza 217xacml-cluster: cluster stanzacluster stanza
handle-idle-timeout entry 218xacml-cluster: cluster stanzacluster>
stanzabasic-auth-user entry 217ssl-fips-enabled entry 220ssl-valid-server-dn entry 222
xacml-cluster:cluster stanzacluster>]stanza
basic-auth-passwd entry 217handle-pool-size entry 218server entry 219ssl-keyfile entry 220ssl-keyfile-label entry 221ssl-keyfile-stash entry 222timeout entry 223
xsl-stylesheet-prolog stanza entryaznapi-configuration stanza 33
Index 343
344 IBM Security Web Gateway Appliance Version 7.0: Web Reverse Proxy Stanza Reference
����
Printed in USA
SC27-4443-00